Jump to content

Discord stealer sample submitted but not processed


Recommended Posts

Hi,

I would like to report an undetected malware sample that can steal users' Discord credentials (MD5: 342f8feb51d604cb5aee88d72cc6eff8), available at https://www.virustotal.com/gui/file/8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad.

I have already sent this sample to samples[at]eset.com, but the malware research team has not responded, and a detection has not yet been added. 

Besides this sample, I would also like to report two phishing/malicious sites that I have already submitted by email and web form but have not yet been blacklisted. The first one is a fake Telegram site (hxxps://teelegrem[.com/). The malware detected as "Win32/GenCBL.BHC" will be downloaded if you click the download button. The second one is a fake Chrome site (hxxps://chrome.xahuapu[.net/), which has already been blocked by Google Safebrowsing and Sophos as per VirusTotal.

Thanks.

Link to comment
Share on other sites

35 minutes ago, AnthonyQ said:

I would like to report an undetected malware sample that can steal users' Discord credentials (MD5: 342f8feb51d604cb5aee88d72cc6eff8), available at https://www.virustotal.com/gui/file/8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad.

Of note here is this malware is node.js based and download size is approximately 66 MB. Since LiveGuard has a maximum file submission size of 64 MB, this malware would have never been submitted for Eset cloud scanning. This might be one reason Eset still doesn't detect it.

Link to comment
Share on other sites

Posted (edited)
11 minutes ago, itman said:

Of note here is this malware is node.js based and download size is approximately 66 MB. Since LiveGuard has a maximum file submission size of 64 MB, this malware would have never been submitted for Eset cloud scanning. This might be one reason Eset still doesn't detect it.

Hi,

After compressed, this sample is only 29MB in size, which allows me to send it by email to ESET malware research team.

Btw, I am using ESSP and I find that I can submit this sample (> 64 MB) to LiveGuard. Although LiveGuard said this sample was safe to use.

Edited by AnthonyQ
Link to comment
Share on other sites

32 minutes ago, itman said:

Of note here is this malware is node.js based and download size is approximately 66 MB. Since LiveGuard has a maximum file submission size of 64 MB, this malware would have never been submitted for Eset cloud scanning. This might be one reason Eset still doesn't detect it.

Despite the sample was submitted via email, they refused to analyze it. Just because not everyone is using Discord. Therefore, these kinds of samples will remain as CLEAN.

Link to comment
Share on other sites

Posted (edited)
1 hour ago, AnthonyQ said:

Btw, I am using ESSP and I find that I can submit this sample (> 64 MB) to LiveGuard. Although LiveGuard said this sample was safe to use.

Check the file size in the Eset Sent log. Appears the download is bundled in a .exe installer which would have reduced the size of the node.js code. It is also possible the 64MB restriction only applies to auto submissions to LiveGuard; i.e. downloads.

Edited by itman
Link to comment
Share on other sites

1 hour ago, AnthonyQ said:

Although LiveGuard said this sample was safe to use.

Draw your own conclusions on this. In all the recent LiveGuard testing I have done, I have yet to have LiveGuard return a malicious verdict.

Link to comment
Share on other sites

7 hours ago, itman said:

Draw your own conclusions on this. In all the recent LiveGuard testing I have done, I have yet to have LiveGuard return a malicious verdict.

Just received a response from ESET malware response team informing that a detection has been added: "8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad.exe - JS/PSW.Discord.AS trojan". 

Also, the second website I reported has been blacklisted by ESET while the first one is still pending.

In general, ESET malware response team is quick to respond to samples of undetected malware from common malware families, which is nice. I'm hoping that ESET malware response team will be able to respond more quickly to these uncommon threat submissions.

Link to comment
Share on other sites

Another two samples submitted earlier today but no detection is added.

Sample 1: Netwire RAT with MD5: 5e08e6457dee689b9a11d1326d83d1a9

Sample 2: Rootkit/Proxy Changer (according to Kaspersky's detection name) with MD5: dacd2eebd7c903a79efcabfe11a65850

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...