Collector Stealer Malware

Recently in SprintHost (Спринтхост) have creating websites with malicious purpose. The telegram group is Click Here. The scammer/s has sell this tool for 50 Рублей / russian ruble. The website still is admin panel / dashboard, like XBALTI.
Small information about malware. → It’s normal stealer / RAT Stealer (executable file mostly) whose steal passwords, emails, etc. The login is mysql (database) from phpmyadmin. The tool steals information from:

  1. SA:MP
  2. Information from Chromium / Edge / Google Chrome (port: 80) / Mozila FireFox (Passwords, credit cards)
  3. Sessions from Telegram, Discord, FileZilla, Steam
  4. Passwords from NordVPN.
  5. Steals wallet files.


This picture is example config.php in the server.
How he said → ‘Могу отказать вам в установке из-за неадекватного поведения.’ which means (He can stop future updates in your tool if you do something he dont like). Due to selfusing this tool or selling I censored the chat id and token.

2 Likes

I’ve reported it to Google Safebrowsing.

1 Like

Stealers:

Domains

193.142.59.221
hxxp://ecocalyx.com
37.0.11.8
hxxp://verecalina.xyz