SeriousHoax

Yeah, everyone has issues with these stealers. Only Kaspersky's automation and behavior analysis seems to have found a way to detect these well enough. Here's two more similar ones: https://www.virustotal.com/gui/file/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/detection https://www.virustotal.com/gui/file/55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8/detection A user from the malwaretips forum are finding these on the game platform https://itch.io/ A friend of mine also found a few stealer campaigns on telegram. They are constantly updating their samples to bypass detections. ESET researchers probably should check out the campaign of uploading samples pretending to be games on the itch.io platform. I'm tagging Mr. @Aryeh Goretsky just in case since he's part of ESET's R&D team.

The main exe sample file just under 64 MB. LiveGuard can upload it. It's 150 MB only after unpacking which he needed to do for his analysis.

Yeah it's Quasar. ESET detected a PowerShell code via its AMSI and Command Line Scanner at one point. I have saved screenshots for that. But I don't understand how come LiveGuard couldn't detect it? It should be detected by their Sandbox. Couple of the stealers didn't employ any sandbox evasion tactics. It's a bit different type of stealers. New variants by different groups keep coming regularly. It was discussed in the Malwaretips forum. G-Data analysts Karten Hahn even made video about it after the forum discussion and his analysis. You can check that out here: https://youtu.be/kGwa9poV8OU At the moment only Kaspersky is doing a decent job at detecting these stealers by their behavior blocker.

Here are some stealer samples not detected by ESET yet. The size of these samples are too big to be sent to ESET mail as attachments. LiveGuard considered these safe. I sent VT links of two of these samples to ESET more than once but my submissions were ignored as usual, so I'm sharing here: https://www.virustotal.com/gui/file/fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4/detection https://www.virustotal.com/gui/file/962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d/detection https://www.virustotal.com/gui/file/812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c/detection https://www.virustotal.com/gui/file/e5d1b8d1d38678d6333804c98802a2d7bc4917ab1a07aa85868e6e2e9284ddd6/detection This one is a Backdoor. ESET detect after execution at a later stage via AMSI and Command Line Scanner. But for some reason, LiveGuard marks it safe. A signature would be better: https://www.virustotal.com/gui/file/99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc/detection This file is used by a couple of these samples. Kaspersky and Bitdefender detect these as PUP. Maybe ESET should consider creating a PUP/PUA detection for it as well. https://www.virustotal.com/gui/file/53314136803bee54998b66527ced96f94ab72873b2f1f6d9ed1d4756953e5200/detection

It's normal as it's a script to disable Defender. It's detected by many AV products similar to Defender Control.

Disabling Microsoft Defender is not necessary. But one can also use Defender Control to do it. Has to disable Real-time and Tamper Protection first. So should be done before installing a third-party AV. https://www.sordum.org/9480/defender-control-v2-1/ Another option can be is to use this script following the instruction: https://github.com/TairikuOokami/Windows/blob/main/Microsoft Defender Disable.bat

At what location does ESET Online Scanner installs? I don't know that. Can you install that and run a scan?

Yeah, I checked those too last night and they are indeed present in VT. Maybe one wasn't? I forgot. But the two MD5 they shared on their site are not present in VT. WoW that's a big claim. I don't know about it being a scam. But why would they show ESET's detection? About sample not being in VT is not uncommon. Specially if the vendors also sell threat intelligence service. For example, ESET have not always shared their researched samples on VT but it's understandable. ESET is also a well-known and respected company while I don't know much about Uptycs. But releasing scam research where everyone but one didn't detect wouldn't go unnoticed in other vendors eyes. So, I can't comment on that.

Because they are not the same samples. You're VT link is an older sample. The two samples IOC provided in the research blog OP posted are not present in Virustotal. Also, they performed dynamic analysis also so it's clear that out of those 26 vendors, only ESET detected it at that time. Out of reputable vendors, I only see that Norton wasn't tested.

Unless ESET had already got their hands on the sample that was analyzed there, it should be a DNA detection.

One more example of ESET's DNA detection in action, I suppose.

Also, some products won't detect the driver itself but will stop any attempt to exploit it. For example, this is what Kaspersky told me," Our products detect the attempts to exploit CVE-2021-31728. It is enough." A similar thing was said by Bitdefender as well. But I do like ESET's approach of adding the driver to their PUA detection, and I think they have also taken measures to stop the exploit via HIPS or other internal method.

Yeah, I have seen this happening with other products that have HTTPS scanning. Usually, products that make use of yara rules are triggered by the yara rules on VT. Saw this the most with Avast, a couple of times Kaspersky and ESET but never with Bitdefender maybe because they don't use yara.

Yeah, saw that. I can still visit the site. Who knows why! There's no reason to not block it 🙄

The app itself is not hacked. It's just that a lot of scam/malicious things are shared on some channels. People who fall for these are mostly unaware teenagers. Telegram is abused a lot too. I browse Discord on my browser only, mainly to see if I can find any new malware like the one I shared here.

Thanks for your help. I understand. I may try another method that I thought of to increase the chance of ESET analysts analyzing my submitted sample even if it's just Virustotal links. If that doesn't work, then I can always share the sample's VT link here like this post of mine. Cheers.

Here, just got a reply from Kaspersky. They have now blocked the site as well.

That’s because I submitted the site to Bitdefender with the explanation and also one of the samples. I willingly sent only one sample to observe something and my mission was successful. All the rest detections started to appear after Bitdefender's detection, while the other one remains with 2 detections. The site is also blocked by Norton. Their automated analysis blocked it instantly after my submission. It was already categorized as Suspicious, but for whatever reason, my submission triggered the change of reputation to Malicious source, which I suggested. Maybe a Norton user downloaded the file from that site before. BTW, G-Data not only use BD's signature but also their web-filtering SDK. At least they use the blacklist feed. That's why BD's blockage also made G-Data to block it. I have the evidence. The victim himself told that his Discord tokens were stolen by a malware. When asked where did he find it, he shared the site link and also was told to submit the sample to VT and Opentip. Which he did and this is the result. I have the zip file on my PC, just don't know the password. The victim guy was banned for some other reasons not long after, so couldn't ask for the password in time. This type of Discord scam of check out my game is very common. The chance of automated analysis not picking up the site is the most obvious thing, since it's not hosting the malware itself. Just a link to a legit Discord domain to a password-protected archive.

Those are not related to the malware. If you check the screenshots of the analysis, you'll see that it couldn't even download the rar file. It couldn't connect. The files that you see like "mini-wallet.html" are files of Microsoft Edge. I checked on my system. All the files there are from MS Edge.

Oh saw it but those doesn't look like from the rar. It's just some Discord icons or something from the discord link itself. Rar file wasn't extracted. Anyway, it's a real malware and the link should be blocked as well to block distribution of the sample at the earliest stage. Bitdefender blacklisted the site within an hour of my submission.

This is because the rar is password protected. I don't know the password, that's why I submitted the Virustotal link instead. No, one guy that I saw who got infected by it wasn't Russian. Dr.Web was already detecting it and Kaspersky detects as it was analyzed in their publicly available Opentip sandbox where a heuristic detection picked it up after dynamic analysis. The infected user submitted it to Opentip. https://opentip.kaspersky.com/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/results?tab=lookup

Hello, @Peter Randziak Thank you for replying and trying to help by getting in touch with the lab. With due respect, isn't manual work the job of a human analyst? Not all samples can be detected by an automated process, so human analysis is needed for many samples. I often find virustotal links of malware that I don't have access to. For example, the above ones I found on Discord. The malware available on the shared site is password protected. So I could only share the VT links not the files itself. Sorry about that. I often submit samples to other vendors also, who are okay with analyzing malware from my submitted Virustotal links. Anyway, looks like the link and the samples are not detected yet. Thanks.

Discord Token Stealer that seems to be not detected by ESET: One of the site that is spreading the malware which should be blocked: hxxps://movesoul.yaziciali.repl.co I don't have access to the malware files. Here are their Virustotal links: https://www.virustotal.com/gui/file/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/detection https://www.virustotal.com/gui/file/fdf4535c0d53b8af070203e190ce950b34d7b51a697f7e917b133705bfd2afe3/detection @MarcosPlease have a look at this. Also, does sending Virustotal links to ESET via email works? I sent a couple of other samples yesterday but no reply/detection for them yet.

Yeah, but it's not easy to uninstall it because it comes with AMD's display driver by default. I use this tool to pre-remove stuff that I don't need when a new driver comes out. But the last time I forgot to uncheck Ryzen Master. https://github.com/GSDragoon/RadeonSoftwareSlimmer

ESET also detected an AMD Driver on my system. This one as: "Win64/AMD.C potentially unsafe application" https://www.virustotal.com/gui/file/77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a/detection I see that it's present here: https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/?query=amdryzenmasterdriver.sys#:~:text=cec887f20ab468caa1c99fcbe7fbdfab25fadf39