Locked Would like a second opinion On if this is malicious Or Not

[Guest]

 

 i Think im  wrong But just trying to keep community safe 

When You Decode url1 You Get 

When You Decode url2 You Get  

 

%USERPROFILE%\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScHoster.exe.log

%USERPROFILE%\AppData\Roaming\dabbj

%USERPROFILE%\AppData\Roaming\dabbj\ehac.exe

[dEEpEst]

Where is that from?

The official site to download Tor is this: 

This is the hidden content, please

• Sign In
• or
• Sign Up

From what I could see the site is hosted on Hostinger, and the Tor project is not hosted there.

I didn't analyze the file, but given the above, the page is as fake as a house, so I guess the file doesn't contain anything good.

This is the hidden content, please

• Sign In
• or
• Sign Up

/applications/core/interface/js/spacer.png">

 

Additionally the site is hosted on a shared server, and the Tor project is not hosted on a shared server.

This is the hidden content, please

• Sign In
• or
• Sign Up

/applications/core/interface/js/spacer.png">

[Guest]

It was Found From My ScraperBot. I learned a while ago to Check anything and everything i Get From Online . The Base64 is what caught my attention im not very smart but it doesn't take much common sense to realize something there isn't Right .

its actually a Older Backdoor   that  they said was "fixed" in 2021 

I ran it through VM What is Does is replaces Chrome.exe Inside Your Usr/Bin Once it Runs it starts Stealing Data From SilverBullet  

[Guest]

The malware changes the victim clipboarded Bitcoin address 

also it reads numerous files containing system information

Also logs the victim IP address and sends the stolen data to a Telegram bot

and is granted through a task on the Windows Task Scheduler.

Edited October 24, 2023 by Astaroth

[dEEpEst]

Good research