Malware Analysis Another Evasive Discord Token Stealer Disguised as PC game 🎮☠️

[Kongo]

Found another discord token stealer similar to the last one I posted a few days ago that is also only detected by one engine on VirusTotal. Would be interesting to see how multiple AVs react to this threat as it's barely detected by any engine.

Maybe @Shadowra @Trident @Jengo want to test it with CheckPoint, Deep Instinct etc.

Just if you find the time of course

Website with the stealer: https://kyrazon[.]com

Password to the archive is "KS2024"

VirusTotal: VirusTotal

Triage: c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1 | Triage

AnyRun: Analysis KyrazonSetup.exe (MD5: 7A84BBEADE50E7110FE8D278DC22B92D) Malicious activity - Interactive analysis ANY.RUN

FileScan: Filescan.IO - Next-Gen Malware Analysis Platform

Hybrid Analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox

 

[Bot]

Thanks for sharing this. It's concerning to see another token stealer barely detected by AV engines. I hope @Shadowra, @Trident, and @Jengo can provide some insights with their respective tools. It's crucial to stay vigilant and keep our systems protected against such threats.

 

[simmerskool]

this VM is running harmony, and kyrason setup v1.0.8.rar DL'd here, the harmony CP browser extension said the file was too large to analyze. I did not unpack it assuming it was really a .rar

 

[Trident]

this VM is running harmony, and kyrason setup v1.0.8.rar DL'd here, the harmony CP browser extension said the file was too large to analyze. I did not unpack it assuming it was really a .rar

This is due to settings. When I go home and download it, it will be emulated.

 

[SeriousHoax]

Did a very quick test. Missed by Microsoft Defender.

 

[harlan4096]

Clean in KOTIP, reported...

 

[likeastar20]

Electron built stealer, classic

 

[Andrew3000]

Some tests


Check Point Harmony:

Spoiler

Catched
Report here: Harmony Endpoint Forensics Analysis: Overview

Norton v22

Spoiler

Only firewall reaction due to invalid signature.

Avast One:

Spoiler

No reaction

Kaspersky

Spoiler

Catched

 

[Trident]

I am getting 2 behavioural detections on my end:

Under my policy all these LOLBins could not execute, so the chain was very short and simple.

 

[Shadowra]

Spoiler: ZoneAlarm

Detected when using reg.exe . Actions have been stopped.

Spoiler: DeepInstint

Not detected

Spoiler: Bitdefender IS

Detected by the anti-malware engine (probably Cloud detection) and by ATP.
The file has been removed and Bitdefender has performed a remediation.

 

[Trident]

But the most interesting things is, it seems to be pushing 2 different versions. Mine didn’t have reg.exe anywhere in the chain. I turned application control off to see the whole chain. @Shadowra and @Andrew3000 detections are the same (clipbanker/Nova) but mine is RiseProStealer. Mine attempted to connect to some suspicious URLs such as oshi(.)net (not observed on Andrew300’s test). Needless to say connection failed — untested/uncategorised URLs and domains are blocked under my policy.
Mine has a file kyrazongodot.exe, which is not on Andrew300’s forensics report.

Most likely depending on the region or other system information, it decides what to deploy.

 

[harlan4096]

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update:
c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1 - HEUR:Trojan-PSW.Win32.Stealer.gen

Thank you for your help.

 

[Shadowra]

MS Defender (Max Settings)

 

[Kongo]

Spoiler: ZoneAlarm

View attachment 284679View attachment 284680

Detected when using reg.exe . Actions have been stopped.

Spoiler: DeepInstint

Not detected View attachment 284681

Spoiler: Bitdefender IS

View attachment 284682
View attachment 284683
View attachment 284684

Detected by the anti-malware engine (probably Cloud detection) and by ATP.
The file has been removed and Bitdefender has performed a remediation.

Deep Instinct without max settings I assume? Thanks for testing!

 

[Sandbox Breaker]

Contained by Xcitium (Restricted)

 

[Shadowra]

Deep Instinct without max settings I assume? Thanks for testing!

With Max Settings

 

[Khushal]

Found another discord token stealer similar to the last one I posted a few days ago that is also only detected by one engine on VirusTotal. Would be interesting to see how multiple AVs react to this threat as it's barely detected by any engine.

Maybe @Shadowra @Trident @Jengo want to test it with CheckPoint, Deep Instinct etc.

Just if you find the time of course

Website with the stealer: https://kyrazon[.]com

Password to the archive is "KS2024"

VirusTotal: VirusTotal

Triage: c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1 | Triage

AnyRun: Analysis KyrazonSetup.exe (MD5: 7A84BBEADE50E7110FE8D278DC22B92D) Malicious activity - Interactive analysis ANY.RUN

FileScan: Filescan.IO - Next-Gen Malware Analysis Platform

Hybrid Analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox

Funnily and interestingly enough AVG, Avast and Norton ignore this threat but Avira blocks it.

 

[Sandbox Breaker]

Funnily and interestingly enough AVG, Avast and Norton ignore this threat but Avira blocks it.

Why does Norton not utilize all the threat Intel they have? Three engines all not linked properly. I'd still prefer SEP over Norton anyday

 

[Khushal]

Why does Norton not utilize all the threat Intel they have? Three engines all not linked properly. I'd still prefer SEP over Norton anyday

Only Gen digital can explain?

 

[Sandbox Breaker]

LifeLock is cool that's about it to me. But I do my own ID protection.