Guest Posted October 24, 2023 Share Posted October 24, 2023 i Think im wrong But just trying to keep community safe When You Decode url1 You Get When You Decode url2 You Get %USERPROFILE%\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScHoster.exe.log %USERPROFILE%\AppData\Roaming\dabbj %USERPROFILE%\AppData\Roaming\dabbj\ehac.exe Link to comment Share on other sites More sharing options...
dEEpEst Posted October 24, 2023 Share Posted October 24, 2023 Where is that from? The official site to download Tor is this: This is the hidden content, please Sign In or Sign Up From what I could see the site is hosted on Hostinger, and the Tor project is not hosted there. I didn't analyze the file, but given the above, the page is as fake as a house, so I guess the file doesn't contain anything good. This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Additionally the site is hosted on a shared server, and the Tor project is not hosted on a shared server. This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Link to comment Share on other sites More sharing options...
Guest Posted October 24, 2023 Share Posted October 24, 2023 It was Found From My ScraperBot. I learned a while ago to Check anything and everything i Get From Online . The Base64 is what caught my attention im not very smart but it doesn't take much common sense to realize something there isn't Right . its actually a Older Backdoor that they said was "fixed" in 2021 I ran it through VM What is Does is replaces Chrome.exe Inside Your Usr/Bin Once it Runs it starts Stealing Data From SilverBullet Link to comment Share on other sites More sharing options...
Guest Posted October 24, 2023 Share Posted October 24, 2023 (edited) The malware changes the victim clipboarded Bitcoin address also it reads numerous files containing system information Also logs the victim IP address and sends the stolen data to a Telegram bot and is granted through a task on the Windows Task Scheduler. Edited October 24, 2023 by Astaroth Link to comment Share on other sites More sharing options...
dEEpEst Posted October 24, 2023 Share Posted October 24, 2023 Good research Link to comment Share on other sites More sharing options...
Recommended Posts