Closed, got hacked

[Darks1906]

Account got hacked or sum, changed my pass so there shouldn't be any more issues

Edited by Darks1906, 23 October 2022 - 02:44 AM.

[ObbedCode]

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

INFECTED INFECTED INFECTED INFECTED

 

~ Either your account has been hacked or you are just dumb , the IP Logs will help mods determine that

~ Right away i was sus , this whole thing seems off the file has no icon whatever

~ At entry point the File runs a background task called "getNumbers"

~ Looking at your other Thread this post is not a mistake as your other one has the SAME exact payload deployment (you had one job you thought by naming it a cool name for the function that would help ? your pathetic)

 

Lets dive into this

 

~ Starts a HTTP Client to download from a webserver , the URL is encoded in base64 "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2h2UXBGWXZX"  = "https://pastebin.com/raw/hvQpFYvW"

~ That pastebin is most likely used at a MITM for the Final Destination as that link can change

~ The content is "https://daedaluswall.../tempbuild.exe"

~ the file seems to be "103mb" big malware difficult to scan but I can scan it so no worries

~ Then ofc the Tempbuild.exe is going to be a file called "node.exe" (seen this many many times here) mainly seems to be using PowerShell (usually normal with node tho)

~ It will save the file to "%AppData%WindowsService64.exe"

~ I dont know if you noticed with your poor programming skill but you execute it twice ? or run through the same process twice ? why not just make it a function then invoke it twice if needed ?

~ The program in question does NOTHING its a fake UI with a payload dropped in the background, one button click and it randomizes data to make it seem like its doing something

 

Just because you got a pretty role "aqua" does not stop me from scanning everything   if you are going to spread malware goal is to not have your shitware detected thanks

 

https://imgur.com/a/qsCuWJU

 

https://www.virustot...7df91?nocache=1

 

the detections slowly go up and up the more I scan

 

Weird Apis...

            - 'WaitForSingleObject'
            - 'QueueUserApc'
            - 'RtlCreateUserThread'
            - 'OpenProcess'
            - 'VirtualAlloc'
            - 'VirtualFree'
            - 'WriteProcessMemory'
            - 'CreateUserThread'
            - 'CloseHandle'
            - 'GetDelegateForFunctionPointer'
            - 'CreateThread'
            - 'memcpy'
            - 'LoadLibrary'
            - 'GetModuleHandle'
            - 'GetProcAddress'
            - 'VirtualProtect'
            - 'FreeLibrary'
            - 'ReadProcessMemory'
            - 'CreateRemoteThread'
            - 'AdjustTokenPrivileges'
            # - 'WriteByte'  # FP with .NET System.IO.FileStream
            - 'WriteInt32'
            - 'OpenThreadToken'
            # - 'PtrToString'
            # - 'FreeHGlobal'
            - 'ZeroFreeGlobalAllocUnicode'
            - 'OpenProcessToken'
            - 'GetTokenInformation'
            - 'SetThreadToken'
            - 'ImpersonateLoggedOnUser'
            - 'RevertToSelf'
            - 'GetLogonSessionData'
            - 'CreateProcessWithToken'
            - 'DuplicateTokenEx'
            - 'OpenWindowStation'
            - 'OpenDesktop'
            - 'MiniDumpWriteDump'
            - 'AddSecurityPackage'
            - 'EnumerateSecurityPackages'
            - 'GetProcessHandle'
            - 'DangerousGetHandle'
            - 'kernel32'
            - 'Advapi32'
            - 'msvcrt'
            - 'ntdll'

Network Traffic

108.177.119.104:443 (TCP)
142.250.69.196:443 (TCP)
20.80.129.13:443 (TCP)
23.216.147.64:443 (TCP)

Edited by ObbedCode, 22 October 2022 - 10:22 PM.