Malware Analysis Tricky adware or malicious ?

[likeastar20]

Requesting @struppigel to take a look.

This sample is spread on websites that host cracked games. However, the malicious file is not the downloaded cracked game itself. Instead, when you click the download link and you don't have an ad blocker, you will be redirected to another website. The file tricks the user into thinking it is the game by having the same name. The sample seems to be tricky to run in a sandbox/VM(it installs 7zip?). It may also install malicious extension(s)? I've seen a lot of people get infected by similar adware/malware and that's why I want to raise awareness.

Main installer:

VirusTotal

VirusTotal

www.virustotal.com

Triage | Behavioral Report

Have a look at the Hatching Triage automated malware analysis report for this sample, with a score of 5 out of 10.

tria.ge

https://www.hybrid-analysis.com/sample/dc287b1f38dfd32bdd479048022dba205674c378882867499ae216cbd251f6f5/64feebdcfabf77e1170984d1

—————————————————————————

One of the Dropped files?:

VirusTotal

VirusTotal

www.virustotal.com

Triage | Malware sandboxing report by Hatching Triage

Have a look at the Hatching Triage automated malware analysis report for this sample, with a score of 1 out of 10.

tria.ge

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'RigidvApp.exe'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com

 

[Xeno1234]

I myself am not a malware analysist, but on sandbox reports, there doesn’t seem to be malicious activity (no bad malicious indicators with Hybrid Analysis, and for Triage it’s just gets geo location. However, avast has a Evo Gen detection which I believe means the file has a signature (correct if wrong)

VT has no malicious indicators and K Opentip is clean.

 

[struppigel]

It is malicious, I recognize the packer. Ridiculous version info too ("RigidFEELINGTool.exe"), plus the name on hybrid is "FREE-STEAM.txt_164164.exe" --> standard double extension trick, here followed by the _16416 to not trigger AV detection that look for txt.exe
Not sure if I have time this week to dig deeper, though.

 

[likeastar20]

I myself am not a malware analysist, but on sandbox reports, there doesn’t seem to be malicious activity (no bad malicious indicators with Hybrid Analysis, and for Triage it’s just gets geo location. However, avast has a Evo Gen detection which I believe means the file has a signature (correct if wrong)

VT has no malicious indicators and K Opentip is clean.

BitDefender has added detection for the dropped file. I love how quickly they add things after you submit them.

EDIT1: Kaspersky added a detection for the installer "UDS:Trojan.Win32.Delf.a" and dropped file "UDS:Trojan.Win32.Agentb.a".

 

[Xeno1234]

BitDefender has added detection for the dropped file. I love how quickly they add things after you submit them.

EDIT1: Kaspersky added a detection for the installer "UDS:Trojan.Win32.Delf.a" and dropped file "UDS:Trojan.Win32.Agentb.a".

Well, guess I was wrong. Why didn’t VT show anything malicious on the MITRE ATT&CK matrix?

Also - I believe these are automatic cloud detections as apposed to Signatures - K Opentip detects it as VHO:Trojan.Win32.Delf.a and Trojan.Win32.Agentb.a implying it was detected either via Opentip or other means. It could be signatures, but I dont see it being a UDS_____ detection instead of a signature detection.

 

[likeastar20]

Well, guess I was wrong. Why didn’t VT show anything malicious on the MITRE ATT&CK matrix?

Also - I believe these are automatic cloud detections as apposed to Signatures - K Opentip detects it as VHO:Trojan.Win32.Delf.a and Trojan.Win32.Agentb.a implying it was detected either via Opentip or other means. It could be signatures, but I dont see it being a UDS_____ detection instead of a signature detection.

Maybe, I submitted the files through their support + from OpenTip as well.

 

[Xeno1234]

Maybe, I submitted the files through their support + from OpenTip as well.

When did you see the detections? Opentip or through support?

 

[likeastar20]

When did you see the detections? Opentip or through support?

They were never detected by OpenTip, but once the OpenTip analysis is complete, you can submit them to Kaspersky from there, so I did. But I also went to their support page and sent the sample to their email.

 

[Xeno1234]

They were never detected by OpenTip, but once the OpenTip analysis is complete, you can submit them to Kaspersky from there, so I did. But I also went to their support page and sent the sample to their email.

Did you get any responses saying a detection was added?

 

[Xeno1234]

I downloaded a sample and it was detected by Cloud Detection instead of databases - maybe a user was infected and K blocked it.

 

[likeastar20]

@struppigel Found another one, i think it's related, same packer.

SFX Archive:

VirusTotal

VirusTotal

www.virustotal.com

===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== =====

Original rar:

https://www.virustotal.com/gui/file/d5920f946862a6cbe8778a5e4a61ede43416d9d3cae716cf3129cd0715a92cf8

Triage | Malware sandboxing report by Hatching Triage

Have a look at the Hatching Triage automated malware analysis report for this sample, with a score of 7 out of 10.

tria.ge

EDIT1: Evasive

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'SpecialDoveJZM.EXE'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com