Suspicious "game"

Status
Not open for further replies.
L

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
I want to hear your thoughts on this "game".


VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659 | Triage

Check this report malware sample dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659, with a score of 7 out of 10.
tria.ge tria.ge

opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

 
Last edited by a moderator:
  • Like
  • +Reputation
Reactions: Zartarra, Shadowra, ForgottenSeer 76546 and 8 others
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
This is from the VT behavior tab:
1688205032938.png


And ageostealer (dot) wtf has some other suspicious files communicating with it. See also VirusTotal

1688205285759.png


So from triage I would say it looks like malware.
(I did not analyse this file, I have only 20 minutes right now)
 
  • Like
  • +Reputation
Reactions: Nevi, Zero Knowledge, vtqhtr413 and 11 others
L

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
Shadowra said:
@Trident detected by Harmony ? :)
Click to expand...
The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

ah.PNG



asasdasd.PNG
qwerqwer.PNG
 
  • Like
  • +Reputation
  • Applause
Reactions: SeriousHoax, Nevi, Zero Knowledge and 3 others
Shadowra

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
likeastar20 said:
The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

View attachment 276769


View attachment 276770View attachment 276771
Click to expand...
Typical of this type of Trojan, Discord must be installed, as it will steal the account's connection token.
 
  • Like
Reactions: simmerskool, Nevi, Zero Knowledge and 6 others
partha_roy

partha_roy

Level 3
Well-known
Oct 16, 2022
128
likeastar20 said:
The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

View attachment 276769


View attachment 276770View attachment 276771
Click to expand...
AVG detects it as suspicious with the hardened mode enabled. I did run it though and saw it create a start-up item, and spawn some processes in the background that definitely looked suspicious

It wouldn't let me open the process explorer for some reason and after I killed the processes from the task manager, the process explorer started right away; ran sfc /scannow right after just to check if anything was corrupted and it said "the requested operation could not be performed".. the dism restore couldn't help either

Definitely malicious in my eyes
 
  • Like
  • Wow
Reactions: plat, piquiteco, Dave Russo and 1 other person
partha_roy

partha_roy

Level 3
Well-known
Oct 16, 2022
128
It's not just stealing information; I am pretty sure that it's designed to impair the system too
 
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
likeastar20 said:
Did you get any errors when you ran the sample?
Click to expand...
It was terminated very quick and forensic analysis was started. I didn't see any errors. Notice from the report under "File Ops" that it accessed Edge credit card and password databases. At that point it has become suspicious as this is also the last one on the Att&CK Matrix and cleanup has been initiated before it can put anything in the archive. Notice the archive is 0 bytes.

Uuuh someone didn't handle their exceptions with try and catch... shame.
 
  • Like
  • Wow
Reactions: plat, Nevi, Zero Knowledge and 5 others
L

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
Trident said:
It was terminated very quick and forensic analysis was started. I didn't see any errors. Notice from the report under "File Ops" that it accessed Edge credit card and password databases. At that point it has become suspicious as this is also the last one on the Att&CK Matrix and cleanup has been initiated before it can put anything in the archive. Notice the archive is 0 bytes.
Click to expand...
Try another AV to see if it is detected now. When I tried, no reaction whatsoever from the likes of Kaspersky, Avast, BD, GDATA,ESET(was it because of the errors @Trident?). Many hours have passed since then, it should be detected by now...
 
Last edited:
  • Like
Reactions: plat, Dave Russo and Trident
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
likeastar20 said:
Try another AV to see if it is detected now. When I tried, no reaction whatsoever from the likes of Kaspersky, Avast, BD, GDATA,ESET(was it because of the errors @Trident?). Many hours have passed since then, it should be detected by now...
Click to expand...
This sample is similar to the other one that @Kongo posted. I am not sure why detections haven’t been added, did you guys submit to anyone?
@struppigel can you have a look at this sample and see it it’s just me or they are similar?
malwaretips.com

Malware Analysis - Supposed "Game" that actually is stealer malware

Hey guys, Just stumbled upon this video and thought why not checking out the file by myself. By now the malware should be at least two months old and still isn't detected by any AV on VirusTotal except ESET. Normally malicious PE files are detected easily by AI-based AV solutions and...
malwaretips.com malwaretips.com
 
  • Like
  • +Reputation
Reactions: Nevi, Zero Knowledge, Kongo and 3 others
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Kongo said:
Not detected by GData yet. You're enjoying your weekend too much. 👀
Click to expand...
Can't do anything about that because I am on vacation and have no access to any system at work. If you are bothered by that, submit it to GDATA or Bitdefender, both will do.

I unpacked the code by now.
You first unpack Nullsoft script with 7z, then from these files extract app-64.7z, then download and install Asar plugin for 7zip and unpack app.asar.
Inside that one is a coreAES.js which contains encrypted data.
I put the code into an online Node JS compiler and replaced the last line with console.log('%s', decrypted) to print the decrypted malware.

I uploaded it to malshare in case anyone is interested.
This is the decrypted JS file: VirusTotal
You will find it on malshare with the same hash.

It is > 3000 lines of code, but here are some interesting parts:

1688231497505.png


1688231441087.png


1688231249189.png

1688231388415.png
 
Last edited:
  • +Reputation
  • Like
Reactions: Nevi, Zero Knowledge, piquiteco and 11 others
L

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
piquiteco said:
MD detects in static analysis how Trojan:Win32/CryptInject!MSR. :)
Click to expand...
My friend mentioned that he submitted it to Microsoft yesterday, among other vendors. Dr.Web responded to him saying it's corrupted and presents no danger
Screenshot_20230701_203624_Gmail.jpeg


I was too lazy to submit it myself because the file size is not that small (70mb) and most of the upload sites have a limit (BD 25mb, Avast 50mb, Avira 50mb etc). You probably have to send it directly to their email.
 
Last edited by a moderator:
  • Like
  • +Reputation
Reactions: Nevi, Kongo, Dave Russo and 3 others
Status
Not open for further replies.

Similar threads

Sandbox Breaker
    • Like
  • Locked
Evasive VBS with very low VT
Replies
74
Views
6,441
Malware Analysis Archive
Sandbox Breaker
Sandbox Breaker
Sandbox Breaker
    • Like
    • +Reputation
Signed Sample - Very Suspect
Replies
5
Views
1,150
Malware Analysis Archive
harlan4096
harlan4096
L
    • Like
    • +Reputation
Evasive Sample
Replies
12
Views
2,131
Malware Analysis Archive
piquiteco
piquiteco

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top