Malware Analysis Another Evasive Discord Token Stealer Disguised as PC game 🎮☠️

Status
Not open for further replies.
Kongo

Kongo

Level 39
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 25, 2017
2,804
1
19,253
3,770
25
Germany
Found another discord token stealer similar to the last one I posted a few days ago that is also only detected by one engine on VirusTotal. Would be interesting to see how multiple AVs react to this threat as it's barely detected by any engine.

Maybe @Shadowra @Trident @Jengo want to test it with CheckPoint, Deep Instinct etc.

Just if you find the time of course ;)

Website with the stealer: https://kyrazon[.]com

❗Password to the archive is "KS2024"❗

VirusTotal: VirusTotal

Triage: c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1 | Triage

AnyRun: Analysis KyrazonSetup.exe (MD5: 7A84BBEADE50E7110FE8D278DC22B92D) Malicious activity - Interactive analysis ANY.RUN

FileScan: Filescan.IO - Next-Gen Malware Analysis Platform

Hybrid Analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Jonny Quest, Nevi, Zartarra and 10 others
Thanks for sharing this. It's concerning to see another token stealer barely detected by AV engines. I hope @Shadowra, @Trident, and @Jengo can provide some insights with their respective tools. It's crucial to stay vigilant and keep our systems protected against such threats.
 
  • Like
Reactions: Khushal
this VM is running harmony, and kyrason setup v1.0.8.rar DL'd here, the harmony CP browser extension said the file was too large to analyze. I did not unpack it assuming it was really a .rar
 
  • Like
Reactions: Nevi, oldschool, Khushal and 3 others
Some tests


Check Point Harmony:
Catched
Report here: Harmony Endpoint Forensics Analysis: Overview
1722583294658.png

1722583298969.png

1722583324916.png
1722583612217.png

Norton v22
Only firewall reaction due to invalid signature.
1722584057019.png

Avast One:
No reaction

1722584394546.png

1722584397815.png

1722584415230.png

1722584439198.png

Kaspersky
Catched

1722585405066.png

1722585409462.png

1722585412785.png

1722585430393.png

1722585496437.png

1722585479252.png
 
  • Like
  • +Reputation
  • Applause
Reactions: Jonny Quest, Nevi, Zartarra and 10 others
Capture d’écran 2024-08-02 112934.png
Capture d’écran 2024-08-02 113153.png


Detected when using reg.exe . Actions have been stopped.


Not detected :(
Capture d’écran 2024-08-02 114143.png

Capture d’écran 2024-08-02 115649.png

Capture d’écran 2024-08-02 115729.png

Capture d’écran 2024-08-02 115815.png


Detected by the anti-malware engine (probably Cloud detection) and by ATP.
The file has been removed and Bitdefender has performed a remediation.
 
  • +Reputation
  • Like
Reactions: Jonny Quest, Nevi, Zartarra and 9 others
But the most interesting things is, it seems to be pushing 2 different versions. Mine didn’t have reg.exe anywhere in the chain. I turned application control off to see the whole chain. @Shadowra and @Andrew3000 detections are the same (clipbanker/Nova) but mine is RiseProStealer. Mine attempted to connect to some suspicious URLs such as oshi(.)net (not observed on Andrew300’s test). Needless to say connection failed — untested/uncategorised URLs and domains are blocked under my policy.
Mine has a file kyrazongodot.exe, which is not on Andrew300’s forensics report.

Most likely depending on the region or other system information, it decides what to deploy.
 
  • Like
  • +Reputation
  • Wow
Reactions: Jonny Quest, Nevi, Zartarra and 9 others
Hello,

New malicious software was found in the attached file. Its detection will be included in the next update:
c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1 - HEUR:Trojan-PSW.Win32.Stealer.gen

Thank you for your help.
Click to expand...
 
  • Like
  • +Reputation
  • Applause
Reactions: Jonny Quest, Nevi, Zartarra and 9 others
Shadowra said:
View attachment 284679View attachment 284680

Detected when using reg.exe . Actions have been stopped.


Not detected :(View attachment 284681

View attachment 284682
View attachment 284683
View attachment 284684

Detected by the anti-malware engine (probably Cloud detection) and by ATP.
The file has been removed and Bitdefender has performed a remediation.
Click to expand...
Deep Instinct without max settings I assume? Thanks for testing! :)
 
  • Like
Reactions: Trident, Nevi, oldschool and 2 others
Kongo said:
Found another discord token stealer similar to the last one I posted a few days ago that is also only detected by one engine on VirusTotal. Would be interesting to see how multiple AVs react to this threat as it's barely detected by any engine.

Maybe @Shadowra @Trident @Jengo want to test it with CheckPoint, Deep Instinct etc.

Just if you find the time of course ;)

Website with the stealer: https://kyrazon[.]com

❗Password to the archive is "KS2024"❗

VirusTotal: VirusTotal

Triage: c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1 | Triage

AnyRun: Analysis KyrazonSetup.exe (MD5: 7A84BBEADE50E7110FE8D278DC22B92D) Malicious activity - Interactive analysis ANY.RUN

FileScan: Filescan.IO - Next-Gen Malware Analysis Platform

Hybrid Analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox
Click to expand...
Funnily and interestingly enough AVG, Avast and Norton ignore this threat but Avira blocks it.
 
  • Like
  • +Reputation
Reactions: Jonny Quest, Nevi, oldschool and 4 others
Status
Not open for further replies.

You may also like...