The malware also checks for the disk size of the victim’s system. The figure below shows the hardcoded lists Figure 8 – Anti-debug check The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly. Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. Figure 6 – Creating a folder in the Temp directory The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below. The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a. Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. Figure 3 – File Details Technical Analysis Builder: ![]() The figure below shows the file details of one of the recent samples we analyzed. Figure 2 – Stats of the sample submission in VirusTotal The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below. Figure 1 shows the statement made by the Threat Actor. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Please seek legal advice if you have any specific concerns or questions about the software's usage.īy using/downloading this repository, you agree to the Commons Clause license and that you're not allowed to sell this repository or any code from this repository.As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. By acquiring or using this software, you agree to release me from any claims or liabilities. I cannot be held liable for any actions you take based on the information or functionality provided by the software. You are solely responsible for evaluating your own technical abilities and knowledge to use the software appropriately. Any usage beyond its intended purposes is your own decision and responsibility. It is important to note that this software is not intended for critical or sensitive environments. I make no guarantees about its performance or suitability for specific purposes. ![]() Please understand that this software is intended for personal educational purposes and sandbox testing only. This software is provided as-is and I am not responsible for any damages that may occur after acquiring or using it. Default: - Anti-Debug - Anti-VM - Bypass VirusTotal Machines - Bypass Windows Defender - Steals Cookie, Password information from all Chromium based browsers(Chrome, Edge, OperaGX, Opera, Brave, Yandex and more) - Keyword Filtering able to see which websites information gathered without download - Grabs MetaMask, Exodus, Atomic, Coinbase, Binance, Trust Wallet, Phantom Wallet - Injection Discord, Discord Canary, DiscordPTB, Lightcord - Bypass Discord Token Protector, BetterDiscord - Gather Discord Token, Phone, Email, Badge, Billing - Validates found Discord Token and then sends it to your Webhook - Fetches HQ Friends (Early Supporter, Active Developer, Bot Developer) - Gather Network Information - File Stealer (Seed Phrases, Tokens, Private Keys, Recovery Codes, Backup Codes, 2FA) - Grabs Steam, Telegram, Riot Games Session - GUI Builder - Customizable Icon, Description, Name, Version - Add to Startup - Sends All Data Through Discord Webhook > Injection Discord: - Nitro Auto Buy - New Passwords - New Emails - New Login - New Credit Card - New PayPal > + More!
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |