SeriousHoax

Because they are not the same samples. You're VT link is an older sample. The two samples IOC provided in the research blog OP posted are not present in Virustotal. Also, they performed dynamic analysis also so it's clear that out of those 26 vendors, only ESET detected it at that time. Out of reputable vendors, I only see that Norton wasn't tested.

Unless ESET had already got their hands on the sample that was analyzed there, it should be a DNA detection.

One more example of ESET's DNA detection in action, I suppose.

Also, some products won't detect the driver itself but will stop any attempt to exploit it. For example, this is what Kaspersky told me," Our products detect the attempts to exploit CVE-2021-31728. It is enough." A similar thing was said by Bitdefender as well. But I do like ESET's approach of adding the driver to their PUA detection, and I think they have also taken measures to stop the exploit via HIPS or other internal method.

Yeah, I have seen this happening with other products that have HTTPS scanning. Usually, products that make use of yara rules are triggered by the yara rules on VT. Saw this the most with Avast, a couple of times Kaspersky and ESET but never with Bitdefender maybe because they don't use yara.

Yeah, saw that. I can still visit the site. Who knows why! There's no reason to not block it 🙄

The app itself is not hacked. It's just that a lot of scam/malicious things are shared on some channels. People who fall for these are mostly unaware teenagers. Telegram is abused a lot too. I browse Discord on my browser only, mainly to see if I can find any new malware like the one I shared here.

Thanks for your help. I understand. I may try another method that I thought of to increase the chance of ESET analysts analyzing my submitted sample even if it's just Virustotal links. If that doesn't work, then I can always share the sample's VT link here like this post of mine. Cheers.

Here, just got a reply from Kaspersky. They have now blocked the site as well.

That’s because I submitted the site to Bitdefender with the explanation and also one of the samples. I willingly sent only one sample to observe something and my mission was successful. All the rest detections started to appear after Bitdefender's detection, while the other one remains with 2 detections. The site is also blocked by Norton. Their automated analysis blocked it instantly after my submission. It was already categorized as Suspicious, but for whatever reason, my submission triggered the change of reputation to Malicious source, which I suggested. Maybe a Norton user downloaded the file from that site before. BTW, G-Data not only use BD's signature but also their web-filtering SDK. At least they use the blacklist feed. That's why BD's blockage also made G-Data to block it. I have the evidence. The victim himself told that his Discord tokens were stolen by a malware. When asked where did he find it, he shared the site link and also was told to submit the sample to VT and Opentip. Which he did and this is the result. I have the zip file on my PC, just don't know the password. The victim guy was banned for some other reasons not long after, so couldn't ask for the password in time. This type of Discord scam of check out my game is very common. The chance of automated analysis not picking up the site is the most obvious thing, since it's not hosting the malware itself. Just a link to a legit Discord domain to a password-protected archive.

Those are not related to the malware. If you check the screenshots of the analysis, you'll see that it couldn't even download the rar file. It couldn't connect. The files that you see like "mini-wallet.html" are files of Microsoft Edge. I checked on my system. All the files there are from MS Edge.

Oh saw it but those doesn't look like from the rar. It's just some Discord icons or something from the discord link itself. Rar file wasn't extracted. Anyway, it's a real malware and the link should be blocked as well to block distribution of the sample at the earliest stage. Bitdefender blacklisted the site within an hour of my submission.

This is because the rar is password protected. I don't know the password, that's why I submitted the Virustotal link instead. No, one guy that I saw who got infected by it wasn't Russian. Dr.Web was already detecting it and Kaspersky detects as it was analyzed in their publicly available Opentip sandbox where a heuristic detection picked it up after dynamic analysis. The infected user submitted it to Opentip. https://opentip.kaspersky.com/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/results?tab=lookup

Hello, @Peter Randziak Thank you for replying and trying to help by getting in touch with the lab. With due respect, isn't manual work the job of a human analyst? Not all samples can be detected by an automated process, so human analysis is needed for many samples. I often find virustotal links of malware that I don't have access to. For example, the above ones I found on Discord. The malware available on the shared site is password protected. So I could only share the VT links not the files itself. Sorry about that. I often submit samples to other vendors also, who are okay with analyzing malware from my submitted Virustotal links. Anyway, looks like the link and the samples are not detected yet. Thanks.

Discord Token Stealer that seems to be not detected by ESET: One of the site that is spreading the malware which should be blocked: hxxps://movesoul.yaziciali.repl.co I don't have access to the malware files. Here are their Virustotal links: https://www.virustotal.com/gui/file/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/detection https://www.virustotal.com/gui/file/fdf4535c0d53b8af070203e190ce950b34d7b51a697f7e917b133705bfd2afe3/detection @MarcosPlease have a look at this. Also, does sending Virustotal links to ESET via email works? I sent a couple of other samples yesterday but no reply/detection for them yet.

Yeah, but it's not easy to uninstall it because it comes with AMD's display driver by default. I use this tool to pre-remove stuff that I don't need when a new driver comes out. But the last time I forgot to uncheck Ryzen Master. https://github.com/GSDragoon/RadeonSoftwareSlimmer

ESET also detected an AMD Driver on my system. This one as: "Win64/AMD.C potentially unsafe application" https://www.virustotal.com/gui/file/77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a/detection I see that it's present here: https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/?query=amdryzenmasterdriver.sys#:~:text=cec887f20ab468caa1c99fcbe7fbdfab25fadf39

Can you not confirm with the help of an ESET malware analyst to know if it was a false positive from Augur?

Looks like it got 100% only because of detection from other vendors. Everything else is Suspicious Indicators only. So the score would have been much lower without these AV detections. I'm also a fan of System Informer. It has some nice features not present in others. I would just use Process Explorer if MS had made it equivalent to it. Both have some unique features, so I use both.

Anyway, it's good to see that products like ESET, Kaspersky, Bitdefender are able to block this attack. I think for all of them it's a previously created detection that worked here also. I tested Bitdefender in a VM on this site and it indeed detects it. I also tested Avast and Norton, but they aren't able to detect it. Norton has IPS and their browser extension but no HTTPS scanning. So they probably have to find a solution for this via their extension. Detecting threats like this is one of the advantages of HTTPS scanning. Avast would just need to create a signature to detect as they have it. ESET in my experience is one of the best if not the best at detecting these malicious/suspicious javascripts injected on websites.

If it's that easy to evade LiveGuard then I have to say that LiveGuard seems very basic and ineffective. There are emulators/sandbox out there that can simulate user clicks. There are also malware that tries to fool such sandbox's but countermeasure can be taken to detect such evasion techniques which would indicate that the file is malicious. You can read all about it and much more here: https://evasions.checkpoint.com/techniques/human-like-behavior.html#check-mouse-movement:~:text=a sample emulation.-,2.2. Check via a request for user interaction,-Some malware samples It doesn't make much sense to charge premium price for LiveGuard when it can't even do this. LiveGuard would give safe verdict to such samples and users may end up getting infected. Samples marked as safe by LiveGuard probably aren't sent to malware analysts, so till they get their hands on such samples, it's a lost cause. There's a huge room for improvements here for ESET.

Thank you very much for the response, and really pleased to know that the issue will get fixed in a future update.

ESET should take part in this ransomware specific test to please some more customers, I think. ESET takes part in many tests but not this one which I find odd especially because many people have some doubts over ESET's ransomware protection capabilities (including myself). https://www.av-test.org/en/news/security-software-against-the-latest-ransomware-techniques/

Not Marcos but, I see that there are still many more rubbish popups on the website which opens up if no adblocker is installed. Tested in a VM with Avast multiple times before and after you removed the suggested domain and Avast still blocks many more as malvertisement and blacklisted URLs. Having ads on your website is fine but don't add popup ads that leads to potential malware or adware.

Does the memory usage keep increasing as you watch or stays at 234?