MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiscordTokenStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338
SHA3-384 hash: e9b6eff03ec85e5ca1c9ad703b681b0d7d70e36a57563d7208fc7be9a9951156fde35e76cf13b3bf3e08d2ce6a27cd54
SHA1 hash: 7ca074378c2a75088c85ba9e773b025046135d6f
MD5 hash: a8e6c877b08e7d57dca3bc630e61d7f2
humanhash: robin-oklahoma-undress-lamp
File name:RemasterSouls 1.0.0.msi
Download: download sample
Signature DiscordTokenStealer
Create hunting rule
File size:90'492'928 bytes
First seen:2025-06-23 01:08:49 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:mbrKisw45YQRJRHrghsDh50mUZEvs4C531+RtWPVwSHbLf0ZcX37XYAYe:QrULHghC50BuJSHb70aX37XS
TLSH T1F018339A968745FAD4DEE1B3027C171DB9BA2DC33B3144435160BEDAAC7E3206B17AC4
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:DiscordTokenStealer msi


Avatar
iamaachum
https://remastersouls.site/download/remastersouls.rar

FUD on VT as of uploading

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6858a95732ed47a3a8d68eba
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/6858a94acf2af1571114997e/reports/b61fb8b8-1b4f-4769-a573-f13412b6f3a0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1720550
Signature
Attempt to bypass Chrome Application-Bound Encryption
Detected generic credential text file
Drops large PE files
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720550 Sample: RemasterSouls 1.0.0.msi Startdate: 23/06/2025 Architecture: WINDOWS Score: 48 83 www.myexternalip.com 2->83 85 store8.gofile.io 2->85 87 canary.discord.com 2->87 109 Suricata IDS alerts for network traffic 2->109 111 Sigma detected: WScript or CScript Dropper 2->111 113 Joe Sandbox ML detected suspicious sample 2->113 115 3 other signatures 2->115 9 msiexec.exe 190 175 2->9         started        12 msiexec.exe 14 2->12         started        15 msedge.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 69 C:\Users\user\AppData\...\RemasterSouls.exe, PE32+ 9->69 dropped 71 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->71 dropped 73 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->73 dropped 75 6 other files (none is malicious) 9->75 dropped 20 RemasterSouls.exe 38 9->20         started        125 Drops large PE files 12->125 25 msedge.exe 15->25         started        27 msedge.exe 15->27         started        29 msedge.exe 15->29         started        77 239.255.255.250 unknown Reserved 17->77 31 msedge.exe 17->31         started        file6 signatures7 process8 dnsIp9 89 store8.gofile.io 94.139.32.13, 443, 49760 ENIX-ASFR Belgium 20->89 97 3 other IPs or domains 20->97 61 C:\Users\user\AppData\...\RemasterSouls.exe, PE32+ 20->61 dropped 63 C:\Users\user\AppData\Local\...\passwords.txt, ASCII 20->63 dropped 65 C:\Users\user\AppData\...\creditcards.txt, ASCII 20->65 dropped 67 7 other malicious files 20->67 dropped 117 Attempt to bypass Chrome Application-Bound Encryption 20->117 119 Potential malicious VBS script found (suspicious strings) 20->119 121 Drops PE files to the startup folder 20->121 123 3 other signatures 20->123 33 chrome.exe 20->33         started        36 cmd.exe 1 20->36         started        38 cmd.exe 1 20->38         started        40 22 other processes 20->40 91 142.251.40.197, 443, 49750 GOOGLEUS United States 25->91 99 2 other IPs or domains 25->99 93 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->93 95 ax-0002.ax-msedge.net 150.171.27.11, 443, 49736, 49749 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->95 101 7 other IPs or domains 31->101 file10 signatures11 process12 dnsIp13 79 192.168.2.5, 138, 443, 49162 unknown unknown 33->79 42 chrome.exe 33->42         started        45 chrome.exe 33->45         started        57 2 other processes 36->57 47 cscript.exe 1 38->47         started        49 conhost.exe 38->49         started        81 chrome.cloudflare-dns.com 172.64.41.3, 443, 49721, 57058 CLOUDFLARENETUS United States 40->81 51 cscript.exe 1 40->51         started        53 cscript.exe 1 40->53         started        55 cscript.exe 1 40->55         started        59 30 other processes 40->59 process14 dnsIp15 103 142.250.80.110, 443, 49731, 49732 GOOGLEUS United States 42->103 105 plus.l.google.com 142.251.40.110, 443, 49714 GOOGLEUS United States 42->105 107 5 other IPs or domains 42->107
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6oqayymbjt53hvnm4c74tk3bqy3qgsy3vpeffm6mf22zngpf6m4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250623-bh2vyabn5w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Reads user/profile data of web browsers
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
An obfuscated cmd.exe command-line is typically used to evade detection.
Checks computer location settings
Enumerates connected drives
Drops startup file
Uses browser remote debugging
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/afa10f44-a3aa-4591-8232-c8c442f4f15b
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiscordTokenStealer

Microsoft Software Installer (MSI) msi f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338

(this sample)

anyrun
any.run
https://app.any.run/tasks/5b360edc-84cd-4b44-874a-2d0d661e68d0
  
Link
https://tria.ge/250623-bgr94sbn5t/behavioral1
  
Delivery method
Distributed via web download

Comments


Avatar
commented on 2025-06-23 03:33:23 UTC

Stealer