matias18
Google Algorithm Whisperer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
There's a stealer and clipper that's been spammed lately in the Cracking Tools subforum, usually under the name of BonusBitcoin Checker.
I've seen many people fall for it, both normal and upgraded members, so I thought it would have been a good idea to make you aware of it.
The malware goes by name of Qulab clipper + stealer and it's being sold on Telegram and Russian semi-hacking forums.
The average OP is a new Cracked.to member, unless the account is stolen, with a bunch of likes from their multi-accounts.
The download link is almost never hidden and the archive is protected with a short password to avoid VirusTotal detections.
Multi-accounts are used to like the thread, rate the leak as working and leave a positive feedback. [ ]
BonusBitcoin.rar has a size of 3,24 MB, its hash is 8B4755007FBB659342680C40E0BFC3D8 and once it's extracted we have:
Code:
BonusBitcoin Checker.exe is a self extracting archive built with 7z SFX Constructor v4.5.0.0 and its file size is 3,31 MB.
On the offset 000255CC of BonusBitcoin Checker.exe there's a string "MyDedicated 18:56:18 01/10/2019" telling us:
The SFX has been compiled on date 01/10/2019 at 18:56:18 by the user account MyDedicated - perhaps on a dedicated server?
Once BonusBitcoin Checker.exe is extracted, we have the same three files and two new files, which are the malware itself:
Code:
BonusBitcoin.exe's description in the file properties is "Оболочка сетевых подключений" which translated from Russian means "Network connection shell".
Once the executable is ran, C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-msauditevtlog\uicom.exe is dropped and a new task is created to run it every minute.
BonusBitcoin.exe and uicom.exe are the same file and they have virtual machines detection so they won't run if they detect a virtual environment.
uicom.exe targets passwords, cookies, system informations, autofills, credit cards, desktop .txt files, Discord, Telegram, Steam, Exodus, crypto wallets, FileZilla, SDA.
Every information is stored in a .7z archive created in C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-msauditevtlog\ and named ENU_{numbers}.
IP informations are logged through a request to 104.25.210.99 on port 443, which is ipapi.co - data is sent to a Telegram bot through api.telegram.org.
The clipper replaces:
Bitcoin addresses with 123uD9tHrzKzo7MoMtGvpti24LEUMMFXUE ($1,727.06 received),
Ethereum addresses with 0x50f939b3590cc4e669b32267ebadc5c50d3f99e0 ($0 received),
Dash addresses with Xbjk3QYBphYax3xPDmb9gRPotfpAPF13pH (unknown received).
VirusTotals:
Code:
/!\ Instructions if you have been infected:
1. Go to %appdata% and look for a folder named amd64_microsoft-windows-msauditevtlog with uicom.exe in it, save the .7z archive on your Desktop.
2. Delete the amd64_microsoft-windows-msauditevtlog folder, open the Task Scheduler and find a task with a long name which runs uicom.exe every minute.
3. Delete that task and open the .7z on the Desktop, look for every password that has been stolen and make sure to change all of them (use strong passwords).
4. Enable 2FA everywhere and timeout every old session, sometimes cookies can be used to access your accounts even without knowing your password.
5. Get an antivirus and maybe a firewall to filter outgoing malicious requests.
I've seen many people fall for it, both normal and upgraded members, so I thought it would have been a good idea to make you aware of it.
The malware goes by name of Qulab clipper + stealer and it's being sold on Telegram and Russian semi-hacking forums.
The average OP is a new Cracked.to member, unless the account is stolen, with a bunch of likes from their multi-accounts.
The download link is almost never hidden and the archive is protected with a short password to avoid VirusTotal detections.
Multi-accounts are used to like the thread, rate the leak as working and leave a positive feedback. [ ]
BonusBitcoin.rar has a size of 3,24 MB, its hash is 8B4755007FBB659342680C40E0BFC3D8 and once it's extracted we have:
Code:
Code:
(1) BonusBitcoin Checker.config with md5 hash DA0EED2F114F1288C8DE452D5B95596E.
(2) BonusBitcoin Checker.pdb with md5 hash 8546C94BE01AAB01B47EE02F697CE2A4.
(3) BonusBitcoin Checker.exe with md5 hash F41AC77A790A6E47E7A6984DE96AF504.On the offset 000255CC of BonusBitcoin Checker.exe there's a string "MyDedicated 18:56:18 01/10/2019" telling us:
The SFX has been compiled on date 01/10/2019 at 18:56:18 by the user account MyDedicated - perhaps on a dedicated server?
Once BonusBitcoin Checker.exe is extracted, we have the same three files and two new files, which are the malware itself:
Code:
Code:
(4) BonusBitcoin.exe with md5 hash BC6CBD064DB70D527536600CE5312D62 compiled on date 01/10/2019 at 14:39:32.
(5) KillDuplicate.cmd with md5 hash 68CECDF24AA2FD011ECE466F00EF8450.
KillDuplicate.cmd code:
________________________________________________________
Cd /d %1
Rd "%SfxVarApiPath%"
For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (
If %%I==%2 (
Set /a N+=1
Set PID=%%~J
)
)
If %N% EQU 1 Rd /s /q %1
If %N% GTR 1 TaskKill /pid %PID% /t /f
________________________________________________________Once the executable is ran, C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-msauditevtlog\uicom.exe is dropped and a new task is created to run it every minute.
BonusBitcoin.exe and uicom.exe are the same file and they have virtual machines detection so they won't run if they detect a virtual environment.
uicom.exe targets passwords, cookies, system informations, autofills, credit cards, desktop .txt files, Discord, Telegram, Steam, Exodus, crypto wallets, FileZilla, SDA.
Every information is stored in a .7z archive created in C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-msauditevtlog\ and named ENU_{numbers}.
IP informations are logged through a request to 104.25.210.99 on port 443, which is ipapi.co - data is sent to a Telegram bot through api.telegram.org.
The clipper replaces:
Bitcoin addresses with 123uD9tHrzKzo7MoMtGvpti24LEUMMFXUE ($1,727.06 received),
Ethereum addresses with 0x50f939b3590cc4e669b32267ebadc5c50d3f99e0 ($0 received),
Dash addresses with Xbjk3QYBphYax3xPDmb9gRPotfpAPF13pH (unknown received).
VirusTotals:
Code:
Code:
BonusBitcoin.rar protected with "btc" password - 0/57 - https://www.virustotal.com/gui/file/3caa07a73c1f69dc7ee82e93547d64d7517feaa2a56ceabdc574aa6a3b257bb7/detection
BonusBitcoin Checker.exe (SFX archive) - 43/68 - https://www.virustotal.com/gui/file/cc19dcd4c25a6adc60ac7dc229da0c5515e3cba80f956a157c3099917a7a84d3/detection
BonusBitcoin.exe (Qulab clipper and stealer) - 52/69 - https://www.virustotal.com/gui/file/70d9e8f0070931862faec4603935dcf2ab8caa6e9126e82fc5d1de3e1170e685/detection1. Go to %appdata% and look for a folder named amd64_microsoft-windows-msauditevtlog with uicom.exe in it, save the .7z archive on your Desktop.
2. Delete the amd64_microsoft-windows-msauditevtlog folder, open the Task Scheduler and find a task with a long name which runs uicom.exe every minute.
3. Delete that task and open the .7z on the Desktop, look for every password that has been stolen and make sure to change all of them (use strong passwords).
4. Enable 2FA everywhere and timeout every old session, sometimes cookies can be used to access your accounts even without knowing your password.
5. Get an antivirus and maybe a firewall to filter outgoing malicious requests.