Author Topic: J:S AnarchyGrabber-A [TRJ] - False Positive?  (Read 2718 times)

0 Members and 1 Guest are viewing this topic.

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
J:S AnarchyGrabber-A [TRJ] - False Positive?
« on: May 31, 2020, 03:14:03 PM »
Good day All,

I ran a full deep scan today, and it detected a Trojan in the"index.js" file on the below path:

/Users/Home/Library/Application Support/discord/0.0.254/modules/discord_desktop_core

I ran a full malwarebytes scan (with the file restored), but it found nothing. I've also submitted the file to the virus lab.

Below are the virustotal results:

https://www.virustotal.com/gui/file/7149e6ede44455dc5313351ba9081de69d2e3c1059501f8084a6960fc52fc1d9/detection

Avast version: 14.4
Definitions: 20053100

Is this a false positive?
« Last Edit: May 31, 2020, 03:40:21 PM by drake145 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: J:S AnarchyGrabber-A [TRJ] - False Positive?
« Reply #1 on: May 31, 2020, 07:08:03 PM »
Quote
I ran a full malwarebytes scan (with the file restored), but it found nothing.
JS:AnarchyGrabber-A [TRJ] = a java script (JS) Malwarebytes does not target script, doc or media files



COMMUNITY
Basic Properties
MD5   a0297bfafe6f99ddbc563d9f0e5a9f75
SHA-1   5fc5801cdb0fbf4aad69bb9e6f7b8957f664e872
SHA-256   7149e6ede44455dc5313351ba9081de69d2e3c1059501f8084a6960fc52fc1d9
SSDEEP   3:3BBBbJmAj+Pe:xBBMXm
File type   Text
Magic   ASCII text, with no line terminators
File size   40.00 B (40 bytes)

History
First Submission 2018-01-13 15:53:10
Last Submission   2019-10-28 00:49:31
Last Analysis   2020-05-31 17:00:01


It is old, so seems like a False Positive



Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: J:S AnarchyGrabber-A [TRJ] - False Positive?
« Reply #2 on: June 01, 2020, 02:25:33 AM »
I found two articles from a few days ago regarding this file, and it would appear that Discord does have a vulnerability:

https://www.tripwire.com/state-of-security/security-data-protection/updated-anarchygrabber-steals-passwords-spreads-to-discord-friends/

https://www.informationsecuritybuzz.com/expert-comments/expert-on-anarchygrabber-trojan-update-stealing-discord-clients-passwords/

Since I am fairly certain that it is a false positive on my machine (based on the virsutotal results and that I haven't opened Discord in a long time), I restored the file and opened it to look at the code. It opened my web browser and showed one line of code, exactly as indicated on the tripwire website.



« Last Edit: June 01, 2020, 02:28:31 AM by drake145 »

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: J:S AnarchyGrabber-A [TRJ] - False Positive?
« Reply #3 on: June 01, 2020, 01:06:35 PM »
After updating to the latest virus definition, Avast no longer detects the file, so everything is OK now.