Malware Analysis
Intro
I was made aware of a domain that had been squatted on through discord. Essentially there is a mod for hogwarts legacy on steam called HogWarp. The discord server lost the required Nitro Boosters for the vanity URL. Another server took notice and pounced. They are now posing as HogWarp and even created a fake website ending in .org with a link to a Discord message attachment containing a 75 MB executable.
Analysis
- same set up as last one, NSIS executable that can be unpacked with 7zip. Has essentially the same looking files.
- it seems to get the uuid for the computer and then it reaches out to cc and sends it. Cant get that information dynamically through fakenet and running it
CC server
- 13.91.222.70:1337 is reached out to with websocket request lol
- leads to Hexon Dashboard- Login Screen
Code
- the code is disgustingly obfuscated
- Here I begin the deobfuscation…
- ran it through restringer and that helped a ton to just clean up the structure.
more sites
- it seems they are all copying inmostgame.com
- there is also findthehidden.shop
- dark-knight.fr
another strange site is hexoncopy.vercel.app
telegram is t.me/hexonstealer