Edited by Darks1906, 23 October 2022 - 02:44 AM.
Closed, got hacked
#2
Posted 22 October 2022 - 09:51 PM
INFECTED INFECTED INFECTED INFECTED
INFECTED INFECTED INFECTED INFECTED
INFECTED INFECTED INFECTED INFECTED
~ Either your account has been hacked or you are just dumb , the IP Logs will help mods determine that
~ Right away i was sus , this whole thing seems off the file has no icon whatever
~ At entry point the File runs a background task called "getNumbers"
~ Looking at your other Thread this post is not a mistake as your other one has the SAME exact payload deployment (you had one job you thought by naming it a cool name for the function that would help ? your pathetic)
Lets dive into this
~ Starts a HTTP Client to download from a webserver , the URL is encoded in base64 "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2h2UXBGWXZX" = "https://pastebin.com/raw/hvQpFYvW"
~ That pastebin is most likely used at a MITM for the Final Destination as that link can change
~ The content is "https://daedaluswall.../tempbuild.exe"
~ the file seems to be "103mb" big malware difficult to scan but I can scan it so no worries
~ Then ofc the Tempbuild.exe is going to be a file called "node.exe" (seen this many many times here) mainly seems to be using PowerShell (usually normal with node tho)
~ It will save the file to "%AppData%WindowsService64.exe"
~ I dont know if you noticed with your poor programming skill but you execute it twice ? or run through the same process twice ? why not just make it a function then invoke it twice if needed ?
~ The program in question does NOTHING its a fake UI with a payload dropped in the background, one button click and it randomizes data to make it seem like its doing something
Just because you got a pretty role "aqua" does not stop me from scanning everything if you are going to spread malware goal is to not have your shitware detected thanks
https://www.virustot...7df91?nocache=1
the detections slowly go up and up the more I scan
Weird Apis...
- 'WaitForSingleObject' - 'QueueUserApc' - 'RtlCreateUserThread' - 'OpenProcess' - 'VirtualAlloc' - 'VirtualFree' - 'WriteProcessMemory' - 'CreateUserThread' - 'CloseHandle' - 'GetDelegateForFunctionPointer' - 'CreateThread' - 'memcpy' - 'LoadLibrary' - 'GetModuleHandle' - 'GetProcAddress' - 'VirtualProtect' - 'FreeLibrary' - 'ReadProcessMemory' - 'CreateRemoteThread' - 'AdjustTokenPrivileges' # - 'WriteByte' # FP with .NET System.IO.FileStream - 'WriteInt32' - 'OpenThreadToken' # - 'PtrToString' # - 'FreeHGlobal' - 'ZeroFreeGlobalAllocUnicode' - 'OpenProcessToken' - 'GetTokenInformation' - 'SetThreadToken' - 'ImpersonateLoggedOnUser' - 'RevertToSelf' - 'GetLogonSessionData' - 'CreateProcessWithToken' - 'DuplicateTokenEx' - 'OpenWindowStation' - 'OpenDesktop' - 'MiniDumpWriteDump' - 'AddSecurityPackage' - 'EnumerateSecurityPackages' - 'GetProcessHandle' - 'DangerousGetHandle' - 'kernel32' - 'Advapi32' - 'msvcrt' - 'ntdll'
Network Traffic
108.177.119.104:443 (TCP) 142.250.69.196:443 (TCP) 20.80.129.13:443 (TCP) 23.216.147.64:443 (TCP)
Edited by ObbedCode, 22 October 2022 - 10:22 PM.
++
~~ Much Love From ObbedCode ~~
Always RUN Files in a Sandbox / Virtual Machine
Users browsing this thread: