MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5246ffc5f9f040d1ccc1a714edcce00acf8f85c20cb7fdd0f1e0cf1e30785b9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiscordTokenStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5246ffc5f9f040d1ccc1a714edcce00acf8f85c20cb7fdd0f1e0cf1e30785b9d
SHA3-384 hash: d49524243d09900d2832f940b49f284311fe1d40eb47c5730b230cecec3c97d22ffa6b7bd3ba4c9a8ad60d8ffd52ebec
SHA1 hash: 13e849a88d7f1092f0d494c8b2550df235bf851a
MD5 hash: 3d5dad36457cdec4c0cb6276c45dc172
humanhash: queen-lake-monkey-foxtrot
File name:mona.cc.exe
Download: download sample
Signature DiscordTokenStealer
Create hunting rule
File size:70'004'788 bytes
First seen:2025-02-13 16:22:51 UTC
Last seen:2025-02-13 17:31:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33742414196e45b8b306a928e178f844 (16 x Efimer, 5 x BlankGrabber, 4 x XWorm)
ssdeep 1572864:j8sCy3CREVd1AEJ5Rh1+BDDy4gds8KN28bjhPyQheESYU+g:jICC+Vd1AY5bADDxgds88jhPrvSYU+
TLSH T106E7330ABB106885E6762237C62F8B09E9F5BC1D874E45462774322A1C57ACDE4BFFC1
TrID 46.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
34.6% (.EXE) InstallShield setup (43053/19/16)
8.4% (.EXE) Win64 Executable (generic) (10522/11/4)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon ccccccccd4d4d4d4 (1 x DiscordTokenStealer)
Reporter Tsx
Tags:DiscordTokenStealer exe RedTiger RedTigerStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
546
Origin country :
QA QA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mona.cc.exe
Verdict:
Malicious activity
Analysis date:
2025-02-13 16:35:16 UTC
Tags:
python pyinstaller discordgrabber generic stealer
Link:
https://app.any.run/tasks/433bdf6f-9eca-446b-afbd-0b45c8d4471d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ae1c9828ab76d43a5ad2eb
Tags:
n/a
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin masquerade microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67ae1c90991985e0a95850b6/reports/58618fe6-07a2-4e7c-97b6-3d24e1aa8ab8/overview
Verdict:
Malicious
Labled as:
PYC/Hazgrab.A.gen
Link:
https://www.hybrid-analysis.com/sample/5246ffc5f9f040d1ccc1a714edcce00acf8f85c20cb7fdd0f1e0cf1e30785b9d
Result
Verdict:
MALICIOUS
Result
Threat name:
Discord Token Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1614438
Signature
Found pyInstaller with non standard icon
Potentially malicious time measurement code found
Yara detected Discord Token Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1614438 Sample: mona.cc.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 56 27 Yara detected Discord Token Stealer 2->27 7 mona.cc.exe 206 2->7         started        process3 file4 19 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 7->19 dropped 21 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 7->21 dropped 23 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 7->23 dropped 25 110 other files (none is malicious) 7->25 dropped 29 Found pyInstaller with non standard icon 7->29 31 Potentially malicious time measurement code found 7->31 11 mona.cc.exe 1 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 cmd.exe 1 11->15         started        17 cmd.exe 1 11->17         started       
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5246ffc5f9f040d1ccc1a714edcce00acf8f85c20cb7fdd0f1e0cf1e30785b9d
Gathering data
Threat name:
Win64.Infostealer.PySpy
Create hunting rule
Status:
Malicious
First seen:
2025-02-13 16:23:46 UTC
File Type:
PE+ (Exe)
Extracted files:
2856
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjdp7rpz6bandtgbu4ko3thablhy7bocbs373uhr4dhr4mdylooq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery pyinstaller
Link:
https://tria.ge/reports/250213-tv5rga1jez/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf00cbc1-1e73-4e9c-ab88-c85b73e466e2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiscordTokenStealer

Executable exe 5246ffc5f9f040d1ccc1a714edcce00acf8f85c20cb7fdd0f1e0cf1e30785b9d

(this sample)

  
Delivery method
Distributed via web download

Comments