Possible Undetected Discord Stealer getting past Kaspersky

[Xeno]

I was looking around on this forum: https://malwaretips.com/threads/suspicious-game.124193/

There is a suspicious game getting past Opentip, Kaspersky's Scanner, and Behavioral detection. People have analyzed it and said that is a discord stealer that steals your discord token however it pops up a error which may mean its not doing its thing.

I dont know where to submit things - I submitted on Opentip, but every time I've done that no one has ever responded back to me. 

[harlan4096]

Welcome to Kaspersky Community.

 

I can confirm that I also tried to send several times that sample of around 67MB, not exceeding the KOTIP (limit of 256MB), and I got a warning via email reply, that I exceeded the limit ?‍♂️

Quote

 

Your message wasn't delivered to anyone because it's too large. The limit is 51 MB. Your message is 92 MB.

newvirus @ kaspersky . com

Your message couldn't be sent because it's too large.

 

It seems KOTIP sent the sample via old method via that email address... weird ?

[harlan4096]

I've already reported via that email, adding a link to the malware from my own private MEGA cloud service, I hope they reply me.

[harlan4096]

Great, I got the robot reply with an assigned request ID.

[harlan4096]

Quote

 

Hello,

New malicious software was found in the attached file.
Trojan-PSW.Win32.DiscoStealer.ah
Its detection will be included in the next update.
Thank you for your help.

Best regards,
Igor, Malware Analyst, Kaspersky
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

 

[Xeno]

9 hours ago, harlan4096 said:

Where did you send it so I know where to incase I need to report something. I emailed it to them and never got a response.

[harlan4096]

Check this thread:

 

 

[Xeno]

Oh, you sent it via opentip?

Can you also report this website ageostealer.wtf
Its the website this strain of stealer uses.

[Xeno]

Oh never mind, its detected already.

[harlan4096]

Did You read it? It seems not... No, I did not send via KOTIP, I sent with the old way, still working, via email, but not attaching directly the file but adding a link to download it (compressed with password "infected").

[Xeno]

3 minutes ago, harlan4096 said:

Did You read it? It seems not... No, I did not send via KOTIP, I sent with the old way, still working, via email, but not attaching directly the file but adding a link to download it (compressed with password "infected").

Oh cool, wonder why they didnt respond to me. Maybe I attached it in a weird way.

[harlan4096]

No, there is an issue with KOTIP and malware files bigger than 51MB, this one has 67MB, so I also could not send it... anyway it's true that I got a warning reply by email. Check Your SPAM folder.

[Xeno]

35 minutes ago, harlan4096 said:

No, there is an issue with KOTIP and malware files bigger than 51MB, this one has 67MB, so I also could not send it... anyway it's true that I got a warning reply by email. Check Your SPAM folder.

Yeah I saw. I sent it via email and I did get a warning reply

[Xeno]

I found another one and sent it via email aswell, lets hope they respond back.
Not sure if its a issue that the download is a Triage link but that does work.

Edited July 2, 2023 by Xeno

[Xeno]

Is it a issue if I made the download a Triage link

[Xeno]

I sent a email but they never responded lol 

[Xeno]

I was also looking around and a strain of stealer has like no detections from kaspersky on VT (yet have 50 detections)
https://www.virustotal.com/gui/ip-address/77.105.147.140/relations all files are here - idk how to submit a report here. 

[harlan4096]

Without the sample file We can't report...

[Xidev]

38 minutes ago, harlan4096 said:

Without the sample file We can't report...

Here is the two sample that has no detection on VT...

Password is infected.

[harlan4096]

I already got those 2 files, are the same I already reported...