The figure below shows the hardcoded lists Figure 8 – Anti-debug check The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly. Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. Figure 6 – Creating a folder in the Temp directory The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below. The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a. Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. Figure 3 – File Details Technical Analysis Builder: The figure below shows the file details of one of the recent samples we analyzed. Figure 2 – Stats of the sample submission in VirusTotal The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below. Figure 1 shows the statement made by the Threat Actor. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Thanks you if you found some solutions, send it in the Github pull requests.As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. The characters of list and dictionary to make it look more understandable. I also managed to get banner as gif / png in the embed, I found that it was almost the sameĪs avatar link but it was /banners/userid/bannerid instead of /avatars/userid/avatarid.Īnd finally for linked accounts I still put them in the token grabber but only deleting Give it as list of dictionaries and I tried to split them but it was to difficult.Īpart from that I added to the token grabber victim's account biography as footer text. I could not use get function because converting it in dictionary is very hard because Discord API I updated all old Discord API versions on request links.įor the account connections (linked accounts) like YouTube, Steam, Github. You only have to input your Discord webhook on line nine and compile it. The program has been made for educational purposes, do not use it for malicious purposes. Unfortunately, after being "skidded" every time I made programs, I don't really want to share my codes again, being generous was a loss of time, just make your codes by yourself, it will make you better at programming, good luck for the future, cordially, venax. For people that constantly ask me to update it so it can decrypt the new Discord clients tokens, I already did it thanks to tested it and it is working, so the grabber already has already been updated, and upgraded, for me.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |