SeriousHoax 87 Posted August 5 Author Share Posted August 5 @MarcosHi! Here's a somewhat similar stealer sample I sent you in a private message a few days ago. The current signature on the exe file is not an effective solution. I assume it should also be analyzed by an analyst to create a better signature like it was created for the other two samples I shared in this thread: https://www.virustotal.com/gui/file/e9d1c22e3616399e4ce428ab0c4bbc7d0519f9e3cd19ad91d33bcef5ce539f5c/detection Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 5 Share Posted August 5 (edited) Yesterday evening, I noticed that the CrowdStrike analysis for above noted installer.exe had not performed a detailed analysis report for it. So I did that. Results are here: https://www.hybrid-analysis.com/sample/a361465a9b8ccd239c2499e0c044b9acb2cd787d2913750a245fe707737e90c7/66b00aec6da8dce9c40083cc . What did the analysis report reveal? 1. It's definitely installing the infostealer malware. 2. None of the OPSWAT AV engines CrowdStrike uses detected anything malicious with it. 3. It has never been submitted to VT. Why? 4. After installer.exe runs, it deletes itself. As far as I am concerned, AV's including Eset are not going to detect these infostealer's by signature method. First, their local hueristic analysis needs to be "beefed up" behavior analysis-wise to at least submit the .exe for further analysis. However overall, existing product behavior analysis need to be enhanced to detect these infostealers. Also. consumer product LiveGuard analysis is ineffective. I have had it detect infostealer samples I downloaded only to return a clean verdict. Infostealer's along with most malware today, employ VM and sandbox aware logic and will not detonate their malicious code when such is detected. Edited August 5 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 5 Share Posted August 5 (edited) Update on this free game web site serving up an infostealer. Eset took "the nuclear option" and now blacklisting the web site. Better than nothing. Edited August 5 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 7 Author Share Posted August 7 On 8/5/2024 at 9:31 PM, itman said: As far as I am concerned, AV's including Eset are not going to detect these infostealer's by signature method. First, their local hueristic analysis needs to be "beefed up" behavior analysis-wise to at least submit the .exe for further analysis. However overall, existing product behavior analysis need to be enhanced to detect these infostealers. Also. consumer product LiveGuard analysis is ineffective. I have had it detect infostealer samples I downloaded only to return a clean verdict. Infostealer's along with most malware today, employ VM and sandbox aware logic and will not detonate their malicious code when such is detected. Yeah, signature-based detection is not enough. Even Hybrid-analysis is not doing a good job. @MarcosTwo phishing sites. Blacklisted by Symantec: https://www.virustotal.com/gui/url/ffa39757976dc67f58860f82a6c40100397bf54e394357d12683250ace0741d3/detection https://www.virustotal.com/gui/url/cac61363aab776905c8c8c9e8c5561d00df3593abfce5b6412aaa00bba547ee2/detection Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 8 Administrators Share Posted August 8 8 hours ago, SeriousHoax said: https://www.virustotal.com/gui/url/ffa39757976dc67f58860f82a6c40100397bf54e394357d12683250ace0741d3/detection https://www.virustotal.com/gui/url/cac61363aab776905c8c8c9e8c5561d00df3593abfce5b6412aaa00bba547ee2/detection I don't see anything really bad about those sites but since they are relatively new and require login, they will be blocked. SeriousHoax 1 Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 8 Author Share Posted August 8 @MarcosHi, it looks like a site pretending to be Telegram: https://www.virustotal.com/gui/url/f9270c478f1a5ce7f4e2ecd11e3d4a865d0c57441dc268b049141432f165da00/detection If you download, then the download link for the telegram APK is this (Blacklisted by Symantec): https://www.virustotal.com/gui/url/ab1e2a4570eff9dd5568acfa361681af67e8c769a7df8b26087d91d14051e705/detection This is the downloaded APK. I don't know if it's safe or malicious: https://www.virustotal.com/gui/file/ec35557541324afb84dc9855136d478ff02d69927ff6382acb2e111defa47603/detection Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 8 Share Posted August 8 1 hour ago, SeriousHoax said: This is the downloaded APK. I don't know if it's safe or malicious: https://www.virustotal.com/gui/file/ec35557541324afb84dc9855136d478ff02d69927ff6382acb2e111defa47603/detection Note this is Android phone malware. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 9 Author Share Posted August 9 On 8/9/2024 at 12:19 AM, itman said: Note this is Android phone malware. Yeah, I'm aware as I use an Android phone myself. It's an unofficial Telegram app installer but I don't know if it's a malware or not. Only Ikarus detects it according to VT. Ikarus quite often just copies ESET and Kaspersky's signature (mostly ESET). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.