"I made a game can you test play?" DISCORD TROJAN - +7 5989894545

OfclyGoodenough · 7 February 2022 19:54

[color=#FF00]Link (Dangerous): https://gitdhub.com/ee/game/raw/main/UnboredGame_v.0.1.zip [/color]

Registered in the Russian Federation via Ru-Center on February 3, 2022 - Whois gitdhub.com

VirusTotal - VirusTotal - File - 9cddc53aa4038cd2a3727c5728d4bc416d5b8640d7f90432f146ce62eb5910ca

Any.run - RunGame.exe (MD5: 2017734364733B9CB4F9B887C0907DC5) - Interactive analysis - ANY.RUN

Associated Discord Account - Mukata-Chan#8525

Associated Phone Number (RUSSIA) - +7 5989894545

Associated Email Address - [email protected]

Associated IP Addresses:
31.31.196.162 (gitdhub.com)

![image|750x341](upload://s0jeLuBpuMxlA97e0caTNPE6gNv.jpeg

193.106.191.226

144.76.136.153 (transfer.sh)

Program contains several trojans, including Packed.Asprotect.LPm, BScope.Trojan.Yakes, SusGen & a variant of the RedLine stealer.

inqmus · 7 February 2022 20:12

I’ll create a custom game, to hide the malware for scambaiting purposes and obfuscate it, and protect with Enigma for scammers to play. It’ll drop a dll with a malware obfuscated, then running rundll32.exe to load the dll. Then, the dll will create the service to load itself automatically. The RAT will be a Telegram, or Discord bot, due to port forwarding is expensive for a poor college student like me.

OfclyGoodenough · 11 February 2022 17:18

[color=#ff0000]NEW POPUP - http://gitdhub.com/ee/game/raw/main/SkyWorld.zip[/color]

VirusTotal - VirusTotal - File - 50bc6af308b0b2f786eca1517229e8e290210b15ad56ef633d866e3c43754081

Any.Run - RunGame.exe (MD5: 622CAD7DF29C49424D5EC8B971E1D07B) - Interactive analysis - ANY.RUN

Program contains Wacatac, SusGen, Asprotect & a variant of the RedLine stealer.

NRockhouse · 13 February 2022 16:30

Got the domain terminated.

Cartman · 21 February 2022 16:39

New Url → https://gitdhub.com/ee/game/raw/main/SkyBlade/
Scan → https://tria.ge/220221-t5ja8abffm/behavioral1

Topic Tags:
#stealer, #redline-stealer

NRockhouse · 28 February 2022 17:36

New message template on Discord

Hi guys
Can someone test my first game? :)
https://bit.ly/HiddenSky
password: test

Bit.ly link created on 28 February 2:44am (UTC +00:00) and redirects to https://gitvhub.com/ee/game/raw/main/HiddenSky.zip.

WHOIS Data
Phone: +7.4747528210
Email: [email protected]
Domain registered on: 2022-02-23
Registrar: RU-CENTER (NIC.RU)

NRockhouse · 1 March 2022 11:29

Registrar replied, but domain still active as of writing.

Discord · 2 March 2022 14:57

They are switching hosts every time they get termed tho (3 times till now).

deeznuts · 3 March 2022 15:11

asprotect unpacker Click Here

Rubi · 29 March 2022 16:40

Captura
Today, a few hours ago.
Someone has used my discord account to send the message you see in the image to my friends and servers.
Suspicious link: https://gidthub.com/ee/game/raw/main/SkyBlade/

MegaPiggy · 6 April 2022 05:56

I had this sent yesterday in a private group chat.

Busters · 6 April 2022 14:51

i will take a look

Busters · 6 April 2022 14:58

Here is what i found
this app Steals credentials from Web Browsers
Connects to CnC server
Then
Reads the cookies of Mozilla Firefox

Reads the cookies of Google Chrome

Searches for installed software

Reads Environment values

Checks supported languages

Reads the computer name

The ip that the info is being sent to 65.108.0.47
IP INFO: 65.108.0.47 Finland Uusimaa Helsinki
ISP: Hetzner Online GmbH
Connects To Port 9436

Busters · 6 April 2022 15:08

Reported To Hetzner Their ISP

mush · 8 April 2022 06:28

I’ve had the same issue today where i accidentally clicked the link and it sent this message to everyone.

The sus link: https://gidthub.com/ee/game/raw/main/SkyBlade/

HAWk1 · 10 April 2022 14:38

hey, my brother had clicked the link and opened the downloaded file . I had deleted the msg which was sent from my account but is the bot or malware removed from the system.If not how do I do so

OKpleasestop12345 · 13 April 2022 19:25

Microsoft edge too? i have reseted completely my pc after this stupid thing, and changed the discord password, i have executed the exe file.

szmyra12 · 2 May 2022 04:01

Hi, my friend’s account sent me an identical message with the same link. I clicked on it, opened the folder but did not unpack it and then deleted it. Is something still in danger? I have scanned Norton 360 and Malwarebytes multiple times since (April 28) and found nothing. (earlier before 28 April , Malwarebytes detected “Adware.Yontoo” “Adware.Elex” and “PUP.Optional” but have been removed by the program, after deleting them after scanning PC for 4 days straight i got zero detections) What is there to fear and what to do?

MelodySky · 2 May 2022 14:02

My friend’s account also sent this in our class server and I fell for it too ugh. He said he hasn’t been opening his discord for 2 days and immediately changed his password once I told him about it. Here’s the link they sent https://githxub.com/ee/game/raw/main/Skyblade

OfclyGoodenough · 2 May 2022 14:08

Registered via RU-Center on April 27, 2022 (Updated April 29, 2022) - Page not found (githxub.com)

Associated Phone Number (RUSSIA) +7 (212) 489-89-52

Associated Email Address - [email protected]