en
Feedback
هیچی برگر [﷼]

هیچی برگر [﷼]

Open in Telegram

shit/schizo posting

Show more
The country is not specifiedThe category is not specified
219
Subscribers
No data24 hours
+17 days
+230 days
Posts Archive
Repost from vx-underground
> wake up > take a shit > get out of bed
> wake up > take a shit > get out of bed

Repost from vx-underground
I am absolutely flabbergasted Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out.
+1
I am absolutely flabbergasted Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1) This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT. I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present. This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass. A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent. In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it. Here is the silly meme summary > get sent rivals_toolkit.exe > electron app goop > masquerades as legit toolkit > electron app contains resource called "Discord.exe" > Discord.exe is a malware loader > Discord creates a Java VM > Loads obfuscated Java payload > I can't find where it the JVM payload > JVM payload hidden in different file from Electron app > Annoying.jpg > Electron App also has spoopy secondary functionality > Displays legit HTML stuff > Secondary thread executes, executes Ira.JS stager > f91a7efa0d476811455271e023dfb3be > Decodes and executes initial stager, Ira.jsc > c286ad4c51128266e10ad0a49da9cb3f > Decodes and drops secondary payload stage > 816bfabbb3408ad2114ba351690410c3 > Decodes and drops third payload stage > 7364f758b4b8623c0beb020a74ff09b5 > Decodes and drops fourth payload stage > 7b9627f07f7fb604f5edfb23c706b22a > Final payloads syncs and does IPC with Java payload > Contains AI notes (Image 2) Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?

Repost from vx-underground
> "hey smelly, is this malware?" > sends url > look inside (image 1) > base64 encoded string installer > obviously malware >
+3
> "hey smelly, is this malware?" > sends url > look inside (image 1) > base64 encoded string installer > obviously malware > decode > look inside > obviously malware (image 2) > decode the gunky stuff > verse-57(.)com > curl request to gunky url (image 3) > gives 3.143mb file > look inside > CA FE BA BE > ??? > CA FE BA BE > ??? > java file? > hash file > 5a897367792b56d8c8b3fe624937ea97 > never seen before on vt > closest match to static signature is amos stealer > legit macOS malware > i dont do macOS malware > i dont know how to use a mac (image 4)