"I made a game can you test play?" DISCORD TROJAN - +7 5989894545

Link (Dangerous): https://gitdhub.com/ee/game/raw/main/UnboredGame_v.0.1.zip

Registered in the Russian Federation via Ru-Center on February 3, 2022 - Whois gitdhub.com

VirusTotal - VirusTotal - File - 9cddc53aa4038cd2a3727c5728d4bc416d5b8640d7f90432f146ce62eb5910ca

Any.run - RunGame.exe (MD5: 2017734364733B9CB4F9B887C0907DC5) - Interactive analysis - ANY.RUN

Associated Discord Account - Mukata-Chan#8525

Associated Phone Number (RUSSIA) - +7 5989894545

image

Associated Email Address - [email protected]

Associated IP Addresses:
31.31.196.162 (gitdhub.com)

![image|750x341](upload://s0jeLuBpuMxlA97e0caTNPE6gNv.jpeg

193.106.191.226

144.76.136.153 (transfer.sh)

Program contains several trojans, including Packed.Asprotect.LPm, BScope.Trojan.Yakes, SusGen & a variant of the RedLine stealer.

3 Likes

I’ll create a custom game, to hide the malware for scambaiting purposes and obfuscate it, and protect with Enigma for scammers to play. It’ll drop a dll with a malware obfuscated, then running rundll32.exe to load the dll. Then, the dll will create the service to load itself automatically. The RAT will be a Telegram, or Discord bot, due to port forwarding is expensive for a poor college student like me.

NEW POPUP - http://gitdhub.com/ee/game/raw/main/SkyWorld.zip

VirusTotal - VirusTotal - File - 50bc6af308b0b2f786eca1517229e8e290210b15ad56ef633d866e3c43754081

Any.Run - RunGame.exe (MD5: 622CAD7DF29C49424D5EC8B971E1D07B) - Interactive analysis - ANY.RUN

Program contains Wacatac, SusGen, Asprotect & a variant of the RedLine stealer.

Got the domain terminated.

1 Like

New Url → https://gitdhub.com/ee/game/raw/main/SkyBlade/
Scan → https://tria.ge/220221-t5ja8abffm/behavioral1

Topic Tags:
#stealer, #redline-stealer

2 Likes

New message template on Discord

Hi guys
Can someone test my first game? :)
https://bit.ly/HiddenSky
password: test

Bit.ly link created on 28 February 2:44am (UTC +00:00) and redirects to https://gitvhub.com/ee/game/raw/main/HiddenSky.zip.

WHOIS Data
Phone: +7.4747528210
Email: [email protected]
Domain registered on: 2022-02-23
Registrar: RU-CENTER (NIC.RU)

Registrar replied, but domain still active as of writing.

image
image

They are switching hosts every time they get termed tho (3 times till now).

asprotect unpacker Click Here

Captura
Today, a few hours ago.
Someone has used my discord account to send the message you see in the image to my friends and servers.
Suspicious link: https://gidthub.com/ee/game/raw/main/SkyBlade/

1 Like

I had this sent yesterday in a private group chat.
image

i will take a look

Here is what i found
this app Steals credentials from Web Browsers
Connects to CnC server
Then
Reads the cookies of Mozilla Firefox

Reads the cookies of Google Chrome

Searches for installed software

Reads Environment values

Checks supported languages

Reads the computer name

The ip that the info is being sent to 65.108.0.47
IP INFO: 65.108.0.47 Finland Uusimaa Helsinki
ISP: Hetzner Online GmbH
Connects To Port 9436

Reported To Hetzner Their ISP
image

1 Like

I’ve had the same issue today where i accidentally clicked the link and it sent this message to everyone.

The sus link: https://gidthub.com/ee/game/raw/main/SkyBlade/

hey, my brother had clicked the link and opened the downloaded file . I had deleted the msg which was sent from my account but is the bot or malware removed from the system.If not how do I do so

Microsoft edge too? i have reseted completely my pc after this stupid thing, and changed the discord password, i have executed the exe file.

1 Like

Hi, my friend’s account sent me an identical message with the same link. I clicked on it, opened the folder but did not unpack it and then deleted it. Is something still in danger? I have scanned Norton 360 and Malwarebytes multiple times since (April 28) and found nothing. (earlier before 28 April , Malwarebytes detected “Adware.Yontoo” “Adware.Elex” and “PUP.Optional” but have been removed by the program, after deleting them after scanning PC for 4 days straight i got zero detections) What is there to fear and what to do?

My friend’s account also sent this in our class server and I fell for it too ugh. He said he hasn’t been opening his discord for 2 days and immediately changed his password once I told him about it. Here’s the link they sent https://githxub.com/ee/game/raw/main/Skyblade

Registered via RU-Center on April 27, 2022 (Updated April 29, 2022) - Page not found (githxub.com)

Associated Phone Number (RUSSIA) +7 (212) 489-89-52

image

Associated Email Address - [email protected]