AnthonyQ 42 Posted May 10, 2022 Share Posted May 10, 2022 Hi, I would like to report an undetected malware sample that can steal users' Discord credentials (MD5: 342f8feb51d604cb5aee88d72cc6eff8), available at https://www.virustotal.com/gui/file/8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad. I have already sent this sample to samples[at]eset.com, but the malware research team has not responded, and a detection has not yet been added. Besides this sample, I would also like to report two phishing/malicious sites that I have already submitted by email and web form but have not yet been blacklisted. The first one is a fake Telegram site (hxxps://teelegrem[.com/). The malware detected as "Win32/GenCBL.BHC" will be downloaded if you click the download button. The second one is a fake Chrome site (hxxps://chrome.xahuapu[.net/), which has already been blocked by Google Safebrowsing and Sophos as per VirusTotal. Thanks. Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 10, 2022 Share Posted May 10, 2022 35 minutes ago, AnthonyQ said: I would like to report an undetected malware sample that can steal users' Discord credentials (MD5: 342f8feb51d604cb5aee88d72cc6eff8), available at https://www.virustotal.com/gui/file/8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad. Of note here is this malware is node.js based and download size is approximately 66 MB. Since LiveGuard has a maximum file submission size of 64 MB, this malware would have never been submitted for Eset cloud scanning. This might be one reason Eset still doesn't detect it. Link to comment Share on other sites More sharing options...
AnthonyQ 42 Posted May 10, 2022 Author Share Posted May 10, 2022 (edited) 11 minutes ago, itman said: Of note here is this malware is node.js based and download size is approximately 66 MB. Since LiveGuard has a maximum file submission size of 64 MB, this malware would have never been submitted for Eset cloud scanning. This might be one reason Eset still doesn't detect it. Hi, After compressed, this sample is only 29MB in size, which allows me to send it by email to ESET malware research team. Btw, I am using ESSP and I find that I can submit this sample (> 64 MB) to LiveGuard. Although LiveGuard said this sample was safe to use. Edited May 10, 2022 by AnthonyQ Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted May 10, 2022 Share Posted May 10, 2022 32 minutes ago, itman said: Of note here is this malware is node.js based and download size is approximately 66 MB. Since LiveGuard has a maximum file submission size of 64 MB, this malware would have never been submitted for Eset cloud scanning. This might be one reason Eset still doesn't detect it. Despite the sample was submitted via email, they refused to analyze it. Just because not everyone is using Discord. Therefore, these kinds of samples will remain as CLEAN. Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 10, 2022 Share Posted May 10, 2022 (edited) 1 hour ago, AnthonyQ said: Btw, I am using ESSP and I find that I can submit this sample (> 64 MB) to LiveGuard. Although LiveGuard said this sample was safe to use. Check the file size in the Eset Sent log. Appears the download is bundled in a .exe installer which would have reduced the size of the node.js code. It is also possible the 64MB restriction only applies to auto submissions to LiveGuard; i.e. downloads. Edited May 10, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 10, 2022 Share Posted May 10, 2022 1 hour ago, AnthonyQ said: Although LiveGuard said this sample was safe to use. Draw your own conclusions on this. In all the recent LiveGuard testing I have done, I have yet to have LiveGuard return a malicious verdict. Link to comment Share on other sites More sharing options...
AnthonyQ 42 Posted May 11, 2022 Author Share Posted May 11, 2022 7 hours ago, itman said: Draw your own conclusions on this. In all the recent LiveGuard testing I have done, I have yet to have LiveGuard return a malicious verdict. Just received a response from ESET malware response team informing that a detection has been added: "8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad.exe - JS/PSW.Discord.AS trojan". Also, the second website I reported has been blacklisted by ESET while the first one is still pending. In general, ESET malware response team is quick to respond to samples of undetected malware from common malware families, which is nice. I'm hoping that ESET malware response team will be able to respond more quickly to these uncommon threat submissions. Link to comment Share on other sites More sharing options...
AnthonyQ 42 Posted May 18, 2022 Author Share Posted May 18, 2022 Another two samples submitted earlier today but no detection is added. Sample 1: Netwire RAT with MD5: 5e08e6457dee689b9a11d1326d83d1a9 Sample 2: Rootkit/Proxy Changer (according to Kaspersky's detection name) with MD5: dacd2eebd7c903a79efcabfe11a65850 Link to comment Share on other sites More sharing options...
Recommended Posts