Malware Analysis Another Evasive Discord Token Stealer Disguised as PC game 🎮☠️

[SeriousHoax]

I don't know how many of us had Discord installed on their test system. I think we should do it before running a Discord token installer. I don't have it on any of my VMs. I'll have to create a new account and install it on all the VMs.

@Shadowra Does MD block almost any unknown exe file in Max settings in your experience? I know that by default MD detects files if the cloud gives a malicious verdict with 90% probability. On High it's 80%, don't know the value of High+ but following the trend it's probably 70%. Max/Zero Tolerance apparently blocks all unknown exes.

 

[Shadowra]

Funnily and interestingly enough AVG, Avast and Norton ignore this threat but Avira blocks it.

Avira => HEUR/APC detection ?

 

[Shadowra]

I don't know how many of us had Discord installed on their test system. I think we should do it before running a Discord token installer. I don't have it on any of my VMs. I'll have to create a new account and install it on all the VMs.

@Shadowra Does MD block almost any unknown exe file in Max settings in your experience? I know that by default MD detects files if the cloud gives a malicious verdict with 90% probability. On High it's 80%, don't know the value of High+ but following the trend it's probably 70%. Max/Zero Tolerance apparently blocks all unknown exes.

Yes, that's what I notice. Even the FakeAV from the other day was quickly detected with High+.

 

[SeriousHoax]

Yes, that's what I notice. Even the FakeAV from the other day was quickly detected with High+.

High+? That's not Max settings. I think you meant Block in Configure Defender/Zero Tolerance on GPO.
On Default that FakeAV was detected after execution but weirdly was not cleaned automatically. I had to open Windows Security to manually start the cleaning process even though the ML detection name was Trojan not PUP/PUA.

 

[HydraDragonAntivirus]

There also dropped suspicious files with no detections. I now doing scan with my av called as Hydra Dragon Antivirus and it detected too many suspicious files but I stopped analysis while he is doing scan, now I'm going to do scan again.
Edit: It got detected by Hydra Dragon Antivirus Malpedia signatures. Still analysis continues.

 

[HydraDragonAntivirus]

Spoiler

 

[nickstar1]

Does norton/avast now detect this?

 

[SeriousHoax]

Does norton/avast now detect this?

In my test for Avast, it was sent to CyberCapture but it did not receive either a positive/negative verdict. Told me to wait a few hours and till then they will keep blocking the file.

 

[nickstar1]

In my test for Avast, it was sent to CyberCapture but it did not receive either a positive/negative verdict. Told me to wait a few hours and till then they will keep blocking the file.

should be detected soon as it was probably manually sent for analysis.

 

[mlnevese]

Does norton/avast now detect this?

Tested with Norton 24. the access to the site is blocked, if you insist in the download, Norton aborts the download identifying it as dangerous.

 

[nickstar1]

Yeah i mean at that point if a user still wants to download it they are very Naive......

 

[HydraDragonAntivirus]

Tested with Avast and no detections.

 

[struppigel]

Locked threat because it is off topic