so today and now my laptop got infected
all my icons are among us
every time i restart my laptop i get autorun worm
ok so i decided to run a virus total scan on any icon i have and this happend
edit:
the user info
the guy names Ytzmo runs a discord server which he provide free discord nitro
and yes from a while the rat has been running
the dump is using NJRAT
The FIle IS fully undected
once you click it you will see this on your startup
check the results here
the youtube channel that he promotes his rats (bannned):https://www.youtube.com/c/Ytzmo/
with 2k subs
idk but i went to any.run then i put the file in their
then i got these info
i got their ddns that they are using
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
also their ip
50.23.197.95
69.42.215.252
when i realized its isp is SoftLayer
then i went to google and made some research and found this article: When it comes to spam, IBM's SoftLayer is the host with the most | InfoWorld
idk what to do
iam installing eset antivirus
i get a auto run worm when ever i restart my laptop
idk if i got lateral movement on my network
any suggestions?
abuse report has been sended to their ddns provider
1 Like
Download Malwarebytes and run a scan with it
1 Like
I’d recommend just resetting fully, most of your files are probably binded with malware.
The malware itself is GitHub · Where software is built I am pretty sure, so as not much information on the GitHub page my friend says it runs NJRat, however the version you have could be another variant as this Mbr-Builder modifies the Mbr to display a custom message.
1 Like
just an fyi, the zip in that repo is also malware, a non malware version can be seen at GitHub · Where software is built
2 Likes
This is will be bad move if he start ransomware first before he transfer all files. because he cannot access him pc after destroy it, also njRAT were leaked source code so if he found a way decompiler the stub (stub.exe) for look an full information such a DDNS, IP Addresses, he can do escape if found all files which were infected (copiried) from Synaptics.exe. How we know the Synaptics isn’t the big problem it only replace already exist executables with fake virus and autorun. ← just an option from the RAT. Another problem is the obfuscation but may will be easy because the source code already is published and you can deobfuscate the details.
**Also using a free shit tools like discord nitro is malicious. **
1 Like
this is how it works
the file will run as a nitro cmd generator
normally
then auto download and auto run from these websites the backdoors
Synaptics.exe is the main backdoor that is made in njrat
How didn’t eset detect it. bruh.
no you didint understand
i was using windows defender
now after the virus i installed eset
You can use Hitman Pro is well it removes most of it!
