Malware Analysis Tricky adware or malicious ?

L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Requesting @struppigel to take a look.

This sample is spread on websites that host cracked games. However, the malicious file is not the downloaded cracked game itself. Instead, when you click the download link and you don't have an ad blocker, you will be redirected to another website. The file tricks the user into thinking it is the game by having the same name. The sample seems to be tricky to run in a sandbox/VM(it installs 7zip?). It may also install malicious extension(s)? I've seen a lot of people get infected by similar adware/malware and that's why I want to raise awareness.

Main installer:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

dc287b1f38dfd32bdd479048022dba205674c378882867499ae216cbd251f6f5 | Triage

Check this report malware sample dc287b1f38dfd32bdd479048022dba205674c378882867499ae216cbd251f6f5, with a score of 5 out of 10.
tria.ge tria.ge


—————————————————————————

One of the Dropped files?:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

f52e4263afa3bcb5124ebd6da3a246453e0a009149cf01c17d72b51a6f5bf094 | Triage

Check this report malware sample f52e4263afa3bcb5124ebd6da3a246453e0a009149cf01c17d72b51a6f5bf094, with a score of 1 out of 10.
tria.ge tria.ge

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'RigidvApp.exe'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com
 
Last edited:
  • Like
  • +Reputation
Reactions: brambedkar59, Nevi, cryogent and 3 others
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
I myself am not a malware analysist, but on sandbox reports, there doesn’t seem to be malicious activity (no bad malicious indicators with Hybrid Analysis, and for Triage it’s just gets geo location. However, avast has a Evo Gen detection which I believe means the file has a signature (correct if wrong)

VT has no malicious indicators and K Opentip is clean.
 
  • Like
Reactions: Kongo, [correlate] and likeastar20
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
It is malicious, I recognize the packer. Ridiculous version info too ("RigidFEELINGTool.exe"), plus the name on hybrid is "FREE-STEAM.txt_164164.exe" --> standard double extension trick, here followed by the _16416 to not trigger AV detection that look for txt.exe
Not sure if I have time this week to dig deeper, though.
 
  • Like
  • +Reputation
  • Thanks
Reactions: brambedkar59, [correlate], blackice and 7 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Xeno1234 said:
I myself am not a malware analysist, but on sandbox reports, there doesn’t seem to be malicious activity (no bad malicious indicators with Hybrid Analysis, and for Triage it’s just gets geo location. However, avast has a Evo Gen detection which I believe means the file has a signature (correct if wrong)

VT has no malicious indicators and K Opentip is clean.
Click to expand...
BitDefender has added detection for the dropped file. I love how quickly they add things after you submit them.

EDIT1: Kaspersky added a detection for the installer "UDS:Trojan.Win32.Delf.a" and dropped file "UDS:Trojan.Win32.Agentb.a".
 
Last edited:
  • Like
Reactions: brambedkar59, plat, B-boy/StyLe/ and 2 others
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
likeastar20 said:
BitDefender has added detection for the dropped file. I love how quickly they add things after you submit them.

EDIT1: Kaspersky added a detection for the installer "UDS:Trojan.Win32.Delf.a" and dropped file "UDS:Trojan.Win32.Agentb.a".
Click to expand...
Well, guess I was wrong. Why didn’t VT show anything malicious on the MITRE ATT&CK matrix?

Also - I believe these are automatic cloud detections as apposed to Signatures - K Opentip detects it as VHO:Trojan.Win32.Delf.a and Trojan.Win32.Agentb.a implying it was detected either via Opentip or other means. It could be signatures, but I dont see it being a UDS_____ detection instead of a signature detection.
 
Last edited:
  • Like
Reactions: Kongo and [correlate]
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Xeno1234 said:
Well, guess I was wrong. Why didn’t VT show anything malicious on the MITRE ATT&CK matrix?

Also - I believe these are automatic cloud detections as apposed to Signatures - K Opentip detects it as VHO:Trojan.Win32.Delf.a and Trojan.Win32.Agentb.a implying it was detected either via Opentip or other means. It could be signatures, but I dont see it being a UDS_____ detection instead of a signature detection.
Click to expand...
Maybe, I submitted the files through their support + from OpenTip as well.
 
  • Like
Reactions: Kongo
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Xeno1234 said:
When did you see the detections? Opentip or through support?
Click to expand...
They were never detected by OpenTip, but once the OpenTip analysis is complete, you can submit them to Kaspersky from there, so I did. But I also went to their support page and sent the sample to their email.
 
  • Like
Reactions: Kongo
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
likeastar20 said:
They were never detected by OpenTip, but once the OpenTip analysis is complete, you can submit them to Kaspersky from there, so I did. But I also went to their support page and sent the sample to their email.
Click to expand...
Did you get any responses saying a detection was added?
 
  • Like
Reactions: Kongo
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
I downloaded a sample and it was detected by Cloud Detection instead of databases - maybe a user was infected and K blocked it.
 
  • Like
Reactions: Kongo
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
@struppigel Found another one, i think it's related, same packer.

SFX Archive:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== =====

Original rar:

550ce115cebc5a59fa8ef847b035fcaa7b46de30d46d5a8f63f07fe00d96115e | Triage

Check this report malware sample 550ce115cebc5a59fa8ef847b035fcaa7b46de30d46d5a8f63f07fe00d96115e, with a score of 7 out of 10.
tria.ge tria.ge


EDIT1: Evasive 🤔

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'SpecialDoveJZM.EXE'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com
 
Last edited:
  • Like
Reactions: Kongo

Similar threads

Xeno1234
    • Like
Malware Analysis Evasive Stealer or Broken Sample?
Replies
12
Views
967
Malware Analysis
struppigel
struppigel
L
    • Like
    • +Reputation
    • Thanks
Question Steamunlocked malware?
Replies
41
Views
3,882
Malware Analysis
struppigel
struppigel
Xeno1234
    • Like
Malicious or just a sketchy program?
Replies
10
Views
774
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top