@g0njxa -
Okay, this is what I’ve got. I wasn’t able to get the sample to perform the exfiltration but I believe it is going to use Discord because it has this Java Discord API embedded within in the .jar and I observed DNS queries to Discord in my lab.
I also found these classes under the title “execchain.noom1337” which is probably where most of the malicious code is but I haven’t made much progress making sense of it all.
Based on the way that the archives are formatted the following sigs should already detect the exfiltration but I also created two new signatures that match the archive name format that is specific to nstealer. I’ll share the new sigs later today after they go live.
2029846 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2035015 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
2035016 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
2843856 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2```