SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum It then reads the following registry keys for identifying the Virtual environment. If it’s below 50GB, it terminates itself. The malware also checks for the disk size of the victim’s system. The figure below shows the hardcoded lists Figure 8 – Anti-debug check The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly. Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. Figure 6 – Creating a folder in the Temp directory The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below. The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a. Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. Figure 3 – File Details Technical Analysis Builder: The figure below shows the file details of one of the recent samples we analyzed. Figure 2 – Stats of the sample submission in VirusTotal The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below. Figure 1 shows the statement made by the Threat Actor. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Do not use this software for illegal purposes.As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. The developers are not responsible for any misuse of this software. This github repository is made for educational purposes only. Gathers Billing Information from account (if available)įor anyone who is interested in contributing to Eclipse Grabber, please make sure you fork the project and make a pull request.Please follow the build guide to build an executable grabber. Please follow the installation guide to install the Eclipse Grabber. Once it finds one it will send a message to your Discord server via Discord Webhooks which will contain the token, information about the system and information about the Discord Account. Once executed it will look through the file system and attempt to locate a Discord Account Tokens. Like mentioned above, this tool is written in Python and can be used on Windows and OSX systems to exfiltrate Discord Tokens. With this tool you can generate exectubale files that will steal Discord tokens from a system and report them to your Discord server via Discord Webhooks. Eclipse Grabber Eclipse Discord Token GrabberĮclipse is an open source Python Discord Token Grabber that can be used on Windows and OSX systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |