Popular Post J0k3rj0k3r Posted April 11, 2017 Popular Post Share Posted April 11, 2017 This is the hidden content, please Sign In or Sign Up Download [HIDE-THANKS] This is the hidden content, please Sign In or Sign Up [/HIDE-THANKS] Pass This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
damiano Posted January 9, 2018 Share Posted January 9, 2018 this RAT Good Link to comment Share on other sites More sharing options...
uzmaniz Posted March 12, 2018 Share Posted March 12, 2018 Thanks for share Link to comment Share on other sites More sharing options...
karmina Posted March 13, 2018 Share Posted March 13, 2018 :rolleyes::rolleyes:parece bueno,lo probare Link to comment Share on other sites More sharing options...
Kan3 Posted March 21, 2018 Share Posted March 21, 2018 (edited) It is Backdoored check it >> The client is connecting to pastebin.com at port 80 to import a file as bytes. Using Wireshark I was able to sniff the HTTP request. This is the hidden content, please Sign In or Sign Up First request: This is the hidden content, please Sign In or Sign Up Second request: This is the hidden content, please Sign In or Sign Up The first one is junk file, but it's also editable as pastbin.com allow the user to modify his page without changing the URL. the second request contains encrypted data Before decrypt: [Y2hlY2tmb3J1cGRhdGUuc3l0ZXMubmV0OjU2MzUxLG1pY3JvY2NpdC5kZG5zLm5ldDo1NjM1MSw=] After decrypt: [checkforupdate.sytes.net:56351,microccit.ddns.net:56351,] After tracking the hosts, it appears to be an Indonesian hacker was behind all this backdooring. The last IP to establish a valid connection to microccit.ddns.net was 223.255.227.17 This method isn't new, let's see a similar code to understand how it's working. This is the hidden content, please Sign In or Sign Up https://source4hacker.blogspot.ch/20...ackdoored.html Edited March 21, 2018 by Kan3 Link to comment Share on other sites More sharing options...
m3tal Posted March 21, 2018 Share Posted March 21, 2018 It is Backdoored check it >> The client is connecting to pastebin.com at port 80 to import a file as bytes. Using Wireshark I was able to sniff the HTTP request. This is the hidden content, please Sign In or Sign Up First request: This is the hidden content, please Sign In or Sign Up Second request: This is the hidden content, please Sign In or Sign Up The first one is junk file, but it's also editable as pastbin.com allow the user to modify his page without changing the URL. the second request contains encrypted data Before decrypt: [Y2hlY2tmb3J1cGRhdGUuc3l0ZXMubmV0OjU2MzUxLG1pY3JvY2NpdC5kZG5zLm5ldDo1NjM1MSw=] After decrypt: [checkforupdate.sytes.net:56351,microccit.ddns.net:56351,] After tracking the hosts, it appears to be an Indonesian hacker was behind all this backdooring. The last IP to establish a valid connection to microccit.ddns.net was 223.255.227.17 This method isn't new, let's see a similar code to understand how it's working. This is the hidden content, please Sign In or Sign Up https://source4hacker.blogspot.ch/20...ackdoored.html Yeah, its true there is a backdoored.. but for solution you can just block pastebin.com or by firewall or by host file ;) Link to comment Share on other sites More sharing options...
Kan3 Posted April 12, 2018 Share Posted April 12, 2018 On 3/21/2018 at 4:59 PM, m3tal said: Yeah, its true there is a backdoored.. but for solution you can just block pastebin.com or by firewall or by host file ;) Or use a Non backdoored rat -_- Link to comment Share on other sites More sharing options...
Recommended Posts