CursedGrabber Malware Sample Download

A new malware campaign using npm registry as a mode of spreading. This Malware is debut as CursedGrabber. Its designed to steal Discord App Tokens, personal information such payment information and web browser files of the users. It is spread via xpc.js package at npm repository, which is taken down at the time of writing. It is contains node component that execute lib2.exe as after install node hook on windows.It written in C#.

Lib2.exe Debug File

D:\repos\New\TokenGrabber\Unpacker\obj\Release\Discord.pdb

Lib2.exe launch PowerShell.exe to download bundle-5.0.5.zip which contains additional malware. It contain osloader.exe, winresume.exe, Stealer.dll, Backdoor.dll, BackdoorApi.dll with total of 36 files.

CursedGrabber (lib2.exe) Signatures

Family: PWS:MSIL/Stealer.MX!MTB
MD5: 8099336b7c0ab70e8ba9bbce45c94a31
SHA256: a0f8aec40f1d7cd0820b83b430890dcb922cc24c117bd9af3fa7d884194286aa

CursedGrabber (lib2.exe) Download

CursedGrabber (bundle-5.0.5.zip) Signatures

Family: PWS:MSIL/Discord.RMA!MTB
MD5: cb8b486224a35e454077258e12a36dbe
SHA256: 1bfea7d6440b3e77e328076821d77e4a7b5daf1b50194e35bd279f0282623641

CursedGrabber (bundle-5.0.5.zip) Download