MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiscordTokenStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1
SHA3-384 hash: 4d511f06a90863df4a74055ed01d64f7ef8c2a008a5b756381aa1d5a4477d996c6611b55c7d7b08096926c2fb4c31865
SHA1 hash: 83a983b4494007f38ec91b7ab85199ca4c2dd132
MD5 hash: e1408abc6c49f68336e45550423f847e
humanhash: oregon-sierra-saturn-berlin
File name:SecuriteInfo.com.Win32.PWSX-gen.2667.16581
Download: download sample
Signature DiscordTokenStealer
Create hunting rule
File size:368'640 bytes
First seen:2025-02-06 13:37:12 UTC
Last seen:2025-02-14 10:57:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'619 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:k9VsrW7h+j50ksBez8l7cziNfupNJYqJwbrt17UQDYYzWhAlAFPi+WXwdcWhxALt:kJsjSszBOcJJ27UQDY7AKI9wRhegi
TLSH T17A7423037D699342EAF1013B9C5FF7513755FF841F4B8E971E080E251E4EA89A9B3892
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:196-251-92-64 DiscordTokenStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
439
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.2667.16581
Verdict:
Malicious activity
Analysis date:
2025-02-06 13:44:41 UTC
Tags:
purecrypter purelogs zgrat netreactor stealer
Link:
https://app.any.run/tasks/caaaf685-ee35-43e6-90a9-98138c9984df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2667.16581.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a4bc8e51193558eb199b9f
Tags:
xtreme msil sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Launching a process
Creating a file in the %AppData% directory
Creating a file
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67a4bb166f3db6cc3aaa72a2/reports/b39ecf03-5dec-4e86-8c1f-df6ef186c9d7/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46293015-35f0-417c-943e-f5c59e707882
Result
Threat name:
Discord Token Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1608376
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Discord Token Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608376 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 32 75.103.13.0.in-addr.arpa 2->32 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Discord Token Stealer 2->44 46 7 other signatures 2->46 8 SecuriteInfo.com.Win32.PWSX-gen.2667.16581.exe 5 2->8         started        13 SecuriteInfo.com.Win32.PWSX-gen.2667.16581.exe 2 2->13         started        15 SecuriteInfo.com.Win32.PWSX-gen.2667.16581.exe 2 2->15         started        signatures3 process4 dnsIp5 34 198.135.53.180, 49706, 49707, 49710 CISCOSYSTEMSUS United States 8->34 26 SecuriteInfo.com.W...-gen.2667.16581.exe, PE32 8->26 dropped 28 SecuriteInfo.com.W...exe:Zone.Identifier, ASCII 8->28 dropped 30 SecuriteInfo.com.W....2667.16581.exe.log, ASCII 8->30 dropped 48 Suspicious powershell command line found 8->48 50 Tries to steal Mail credentials (via file / registry access) 8->50 52 Found many strings related to Crypto-Wallets (likely being stolen) 8->52 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->54 17 powershell.exe 15 8->17         started        20 powershell.exe 1 11 8->20         started        56 Antivirus detection for dropped file 13->56 58 Multi AV Scanner detection for dropped file 13->58 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->60 62 Machine Learning detection for dropped file 13->62 64 Tries to harvest and steal browser information (history, passwords, etc) 15->64 66 Tries to harvest and steal Bitcoin Wallet information 15->66 file6 signatures7 process8 signatures9 36 Deletes itself after installation 17->36 22 conhost.exe 17->22         started        38 Creates autostart registry keys with suspicious names 20->38 24 conhost.exe 20->24         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2025-02-06 12:50:00 UTC
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aoqvj72523bopa5hfrr7kfpiuzlokcky2mna5zodz5q7ghcugpyq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250206-qxfzcawnbt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Deletes itself
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58396075-68c7-4394-a436-e4e860a90bc0
Unpacked files
SH256 hash:
03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1
MD5 hash:
e1408abc6c49f68336e45550423f847e
SHA1 hash:
83a983b4494007f38ec91b7ab85199ca4c2dd132
Link:
https://www.unpac.me/results/9a7a0213-9540-44f2-a145-947e6be4ac48/
SH256 hash:
f4c1c59d30eef527e0e2ba78684e223354407115bd7dc85f6f62d083aad9ea80
MD5 hash:
b8be3578091015348385e044287d5a7a
SHA1 hash:
209c4a813abda8cd7669e08018b7ba8d20b97309
Link:
https://www.unpac.me/results/9a7a0213-9540-44f2-a145-947e6be4ac48/
SH256 hash:
59747dcf1878907c119140e265f3cf4c9687bf51b6f40bba14bd94c39ae2f805
MD5 hash:
eb1bec1ea766a8b9d730d87156f5fb67
SHA1 hash:
6f9f1176a2fa6a0d1ea53ee7a573913067fd4c73
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9a7a0213-9540-44f2-a145-947e6be4ac48/
SH256 hash:
45766ff21d820a55fa88e2bc3326a40cee55e62fc9634085739250e23d17d0de
MD5 hash:
012e1d95bba64bada1fc8298c2cf171d
SHA1 hash:
a440eab2d091394b2246c870a05886a6a0a99a84
Link:
https://www.unpac.me/results/9a7a0213-9540-44f2-a145-947e6be4ac48/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03a154ff5dd6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiscordTokenStealer

Executable exe 03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3429877/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments