API tools faq
paste
Advertisement
Guest User

Ratting on the RATTERS - issue 0x01

a guest
Aug 26th, 2017
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.34 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ,-------------------------------------,
  3. / /
  4. / PEST CONTROL! August 2017 /
  5. / /
  6. -------------------------------------`
  7. |\| |\|
  8. |/|/ |/|/
  9. |/ _, .---.__c--. |/
  10. / (__( )_._( )_`_> /
  11. `~~" `~"
  12.  
  13.  
  14. [Ratting on the RATTERS - issue 0x01]
  15.  
  16. $ whoami
  17. fox
  18.  
  19.  
  20.  
  21. ...because nobody likes a skid
  22.  
  23. RATTING is sad. RATTING is lame.
  24.  
  25.  
  26.  
  27. // 0x1 ///////////////////////////////////////////////////////
  28.  
  29. Find stubs / packers / misc malware
  30.  
  31. // Site .... Youtube.com
  32. // Keywords .... Hack tool download
  33.  
  34. // Result
  35. https://www.youtube.com/watch?v=RDAzC1rxTts
  36.  
  37.  
  38. // 0x2 ///////////////////////////////////////////////////////
  39.  
  40. // Fetch any linked archive download
  41. https://mega.nz/#!h2YjjKzD!e--XB1wQ0J8a9hKMq3_AgyJCdYXFCHnnYIe0-skk3Dw
  42.  
  43.  
  44. // 0x3 ///////////////////////////////////////////////////////
  45.  
  46. $ unrar e Rust\ Plantinum\ Cracked.rar
  47.  
  48.  
  49. // 0x4 ///////////////////////////////////////////////////////
  50.  
  51. // Appears to be a cheat for that game with naked guys and rocks.
  52.  
  53. $ ls
  54. ClientPlugin.dll SQLite.Interop.dll
  55. Rust Plantinum Cracked 1.5.7.exe System.Data.SQLite.dll
  56.  
  57.  
  58. // 0x5 ///////////////////////////////////////////////////////
  59.  
  60. $ file Rust\ Plantinum\ Cracked\ 1.5.7.exe
  61. Rust Plantinum Cracked 1.5.7.exe: PE32 executable (GUI) Intel 80386, for MS Windows
  62.  
  63.  
  64. // 0x6 ///////////////////////////////////////////////////////
  65.  
  66. // Send that binded junk to virustotal
  67. // First time the sample has been analyzed, and holy fuck.
  68.  
  69. Detection ratio: 58 / 63
  70. https://virustotal.com/en/file/0af9b967683c3e19661951bed41c8ad3eac0607147b71b0c745443206c57a2d1/analysis/1503789652/
  71.  
  72. // We have a skid!
  73.  
  74.  
  75. // 0x7 ///////////////////////////////////////////////////////
  76.  
  77. // Who has time to run this in a VM?
  78. // It's a cheat tool that acts as a dropper...
  79.  
  80. // Let's see what kevthehermits RATDecoder has to say...
  81.  
  82. [+] Reading file
  83. [+] Searching for Config
  84. [+] Printing Config to screen
  85. [-] Key: CampaignID Value: Guest16
  86. [-] Key: Domains Value: mrwhite8391.ddns.net:8015
  87. [-] Key: FTPHost Value:
  88. [-] Key: FTPKeyLogs Value:
  89. [-] Key: FTPPassword Value:
  90. [-] Key: FTPPort Value:
  91. [-] Key: FTPRoot Value:
  92. [-] Key: FTPSize Value:
  93. [-] Key: FTPUserName Value:
  94. [-] Key: FireWallBypass Value: 1
  95. [-] Key: Gencode Value: BZ8TyxZ4r2ms
  96. [-] Key: Mutex Value: DC_MUTEX-9TK1E8U
  97. [-] Key: OfflineKeylogger Value: 1
  98. [-] Key: Password Value:
  99. [-] Key: Version Value: #KCMDDC51#
  100. [+] End of Config
  101.  
  102. // Looks like we have a DarkComet!
  103. // What year is it?!!?!?
  104.  
  105.  
  106. // 0x8 ///////////////////////////////////////////////////////
  107.  
  108. $ nslookup mrwhite8391.ddns.net
  109. Server: 208.67.222.222
  110. Address: 208.67.222.222#53
  111.  
  112. Non-authoritative answer:
  113. Name: mrwhite8391.ddns.net
  114. Address: 90.184.127.54
  115.  
  116. $ whois 90.184.127.54
  117. % This is the RIPE Database query service.
  118. % The objects are in RPSL format.
  119. %
  120. % The RIPE Database is subject to Terms and Conditions.
  121. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
  122.  
  123. % Note: this output has been filtered.
  124. % To receive output for a database update, use the "-B" flag.
  125.  
  126. % Information related to '90.184.0.0 - 90.184.127.255'
  127.  
  128. % Abuse contact for '90.184.0.0 - 90.184.127.255' is 'abuse@fullrate.dk'
  129.  
  130. inetnum: 90.184.0.0 - 90.184.127.255
  131. netname: FULLRATE-POOL-TWO
  132. descr: Fullrate-DK-CUSTOMERS
  133. country: DK
  134. admin-c: FULL-RIPE
  135. tech-c: FULL-RIPE
  136. org: ORG-TOTA1-RIPE
  137. remarks: +--------------------------------------------------------
  138. remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
  139. remarks: +--------------------------------------------------------
  140. status: ASSIGNED PA
  141. mnt-routes: FULLRATE-MNT
  142. mnt-lower: FULLRATE-MNT
  143. mnt-by: FULLRATE-MNT
  144. created: 2006-10-17T14:06:32Z
  145. last-modified: 2014-08-08T12:54:28Z
  146. source: RIPE
  147.  
  148. organisation: ORG-TOTA1-RIPE
  149. org-name: Fullrate A/S
  150. org-type: OTHER
  151. address: Fullrate A/S
  152. address: Peter Maegbaek Madsen
  153. address: Telegade 2 bygn. 4
  154. address: 2630
  155. address: Taastrup
  156. address: DENMARK
  157. vphone: +4542124021
  158. fax-no: +4532154503
  159. descr: Fullrate
  160. admin-c: RL8463-RIPE
  161. mnt-ref: FULLRATE-MNT
  162. mnt-by: FULLRATE-MNT
  163. abuse-c: FULL-RIPE
  164. created: 2006-03-15T06:11:11Z
  165. last-modified: 2013-12-02T17:51:13Z
  166. source: RIPE # Filtered
  167.  
  168. role: Fullrate Technical Contact
  169. address: Fullrate A/S
  170. address: Telegade 2
  171. address: DK-2630 Taastrup
  172. admin-c: RL8463-RIPE
  173. tech-c: RL8463-RIPE
  174. nic-hdl: FULL-RIPE
  175. abuse-mailbox: abuse@fullrate.dk
  176. remarks: +--------------------------------------------------------
  177. remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
  178. remarks: +--------------------------------------------------------
  179. created: 2006-10-26T15:01:43Z
  180. last-modified: 2013-04-04T09:11:12Z
  181. source: RIPE # Filtered
  182. mnt-by: FULLRATE-MNT
  183.  
  184. % Information related to '90.184.0.0/15AS39554'
  185.  
  186. route: 90.184.0.0/15
  187. descr: fullrate A/S
  188. remarks:
  189. ***************************************************************
  190. remarks: * Any abuse reports, please send them to *
  191. remarks: * abuse@fullrate.dk *
  192. remarks:
  193. ***************************************************************
  194. origin: AS39554
  195. mnt-by: MNT-FULLRATE
  196. mnt-by: AS3292-MNT
  197. mnt-by: FULLRATE-MNT
  198. created: 2006-10-12T13:38:53Z
  199. last-modified: 2017-05-12T04:49:57Z
  200. source: RIPE
  201.  
  202. % This query was served by the RIPE Database Query Service version 1.89.2
  203. (WAGYU)
  204.  
  205.  
  206. // 0x9 ///////////////////////////////////////////////////////
  207.  
  208. // Check the standard www ports.
  209.  
  210. // Accessing port 80 of the RAT server, shows a generic
  211. // unfirewalled router login page for a ZyXEL VMG8924-B10A device.
  212.  
  213. http://90.184.127.54:80
  214.  
  215. // Appears to be a home connection (Fullrate-DK-CUSTOMERS)
  216. // When you can't port forward a single port, so you just disable
  217. // the entire firewall. Yep, that's what we're dealing with here.
  218.  
  219.  
  220. // 0x10 //////////////////////////////////////////////////////
  221.  
  222. // Hello Mr. White!
  223.  
  224. // At this point it's safe to say these are all publicly accessible
  225. // accounts/profiles of one skiddividual. He seems to like his
  226. // cheats and his games.
  227.  
  228. // https://www.nulled.to/user/1101188-mrwhite8391
  229. // Skid forums
  230. // Account created 25th August 2017 (1 day before youtube sample)
  231.  
  232. // https://ennui.ninja/forum/index.php?/profile/3283-mrwhite8391/
  233. // "rust" cheating software profile
  234.  
  235. // https://chods-cheats.com/profile/24415-mrwhite8391/
  236. // More cheating software / forums
  237.  
  238. // https://hypixel.net/members/mrwhite8391.1598335/
  239. // Gaming website, he hacked his own profile!
  240. // "Hackede by Mr. White / Skype: live:mrwhite8391"
  241. // (hacks his own profile...)
  242.  
  243. // https://d3sk1ng.com/index.php?members/mrwhite8391.6868/
  244. // Discussion forum
  245. // Profile mentions, "Birthday: May 27"
  246.  
  247. // http://www.voidraids.com/
  248. // Online store for sale of stolen user data
  249. // Mentions contact email: MRWHITE8391@GMAIL.COM
  250. // Transactions are processed through PayPal^
  251. // Also mentions discord chat server
  252.  
  253. // https://www.reddit.com/user/mrwhite8391/
  254. // Reddit account mentioning sale of steam/minecraft accounts
  255.  
  256. // http://www.d3scene.com/forum/members/mrwhite8391.html
  257. // Gaming forum
  258.  
  259. // https://www.roblox.com/users/196134195/profile
  260. // Roblox game
  261.  
  262. // http://www.mrwhite8391.tk/
  263. // Google cache
  264. // HKC - Hacked Accounts For Cheap Prices!
  265. // How To Buy. Contact us on Mail or Discord.*Discord is preferred!*
  266. // MRWHITE8391@GMAIL.COM. Contact Us On Discord.
  267.  
  268. // https://archive.nyafuu.org/bant/thread/1746597/
  269. // Board spam
  270. // "mrwhite8391.tk" -- Denmark GeoIP location presented on post
  271.  
  272.  
  273. // 0x11 //////////////////////////////////////////////////////
  274.  
  275. // 000webhost being used to serve stolen ratted userdata...
  276.  
  277. $ nslookup www.voidraids.com
  278. Server: 208.67.222.222
  279. Address: 208.67.222.222#53
  280.  
  281. Non-authoritative answer:
  282. www.voidraids.com canonical name = darkgrainstk.000webhostapp.com.
  283. darkgrainstk.000webhostapp.com canonical name =
  284. us-east-1.route-1.000webhost.awex.io.
  285. Name: us-east-1.route-1.000webhost.awex.io
  286. Address: 145.14.144.89
  287. Name: us-east-1.route-1.000webhost.awex.io
  288. Address: 2a02:4780:dead:1d0c::1
  289.  
  290.  
  291. GoDaddy also seems to be providing the domain
  292.  
  293. $ nslookup voidraids.com
  294. Server: 208.67.222.222
  295. Address: 208.67.222.222#53
  296.  
  297. Non-authoritative answer:
  298. Name: voidraids.com
  299. Address: 184.168.221.27
  300.  
  301.  
  302. // 0x12 //////////////////////////////////////////////////////
  303.  
  304. // Discord chat (linked from above)
  305. https://discordapp.com/channels/332894635053809664/332894635053809664
  306.  
  307. // Offline members:
  308. // JKR Jonas
  309. // Mr. Black
  310. // Mr. White
  311.  
  312. // On load, shows previous chat history
  313.  
  314. >>> BEGIN DISCORD CHAT LOG
  315.  
  316. bruh - 08/13/2017
  317. bitches
  318.  
  319. Mr. White - 08/13/2017
  320. ?
  321.  
  322. bruh - 08/13/2017
  323. wanna fight scrub?
  324.  
  325. Mr. White - 08/13/2017
  326. Lmao, kid...
  327. I've got a Steam account with 33+ paid games and it's worth over 200$
  328. U gonna buy?
  329.  
  330. bruh - 08/13/2017
  331. never
  332.  
  333. Mr. White - 08/13/2017
  334. Well i've got a Minecraft account too, that might fit your age
  335.  
  336. bruh - 08/13/2017
  337. never
  338. White?
  339. Why not brown?
  340. mr.been!
  341.  
  342. Mr. White - 08/13/2017
  343. Beacause you havn't watched Breaking Bad...
  344.  
  345. bruh - 08/13/2017
  346. fucking sweet
  347. i'll rather watch the 100 tho
  348.  
  349. Mr. White - 08/13/2017
  350. How did u even get in this discord?
  351.  
  352. bruh - 08/13/2017
  353. found it on 4chan
  354.  
  355. Mr. White - 08/13/2017
  356. Lmao after i got banned..
  357.  
  358. ￰￰ - 08/13/2017
  359. @Mr. White
  360.  
  361. Mr. White - 08/13/2017
  362. @￰￰#6535 ?
  363.  
  364. Mr. White - 08/14/2017
  365. I wanted you to anwser me, but you didn't
  366. You've gotten a text on your phone. Send it to me.
  367. Now.
  368. Do it and i will delete all your information.
  369. @ToMaTokiller
  370. anniedion8@gmail.com
  371. What is your recover mail. U sent wrong code
  372. I will delete all information about you after this.
  373. anniedion8@gmail.com what is your recover mail
  374. Prénom de votre meilleur ami ?
  375. Anwser and this is over
  376. What is your best friends name
  377. Anwser or i'll release your family members information
  378. wrong
  379. wrong
  380. wrong
  381. Do not lie.
  382. Last Chance
  383. 184.162.177.179
  384. No
  385.  
  386. Mr. Black - Last Thursday at 7:00 PM
  387. fd
  388. f
  389. f
  390. f
  391. f
  392. fff
  393.  
  394. <<< END DISCORD CHAT LOG
  395.  
  396.  
  397. // 0x13 //////////////////////////////////////////////////////
  398.  
  399. // So what have we found?
  400.  
  401. // RAT malware .... DarkComet
  402. // User / alias .... mrwhite8391
  403. // Youtube .... http://youtube.com/channel/UCJrOL-tgMP_68jeO96Fj8-w
  404. // Discord .... https://discordapp.com/channels/332894635053809664/332894635053809664
  405. // Website .... http://www.voidraids.com/
  406. // Skype .... live:mrwhite8391
  407. // Gmail .... MRWHITE8391@GMAIL.COM
  408. // Reddit .... mrwhite8391
  409. // Net Address .... 90.184.127.54
  410. // Location .... denmark
  411. // ISP .... fullrate
  412.  
  413. // We've correlated enough information to rat on this RATTING
  414. // skid. They are using their own home internet connection to
  415. // serve up a DarkComet server, and in the process of searching
  416. // online - we have found enough information to be certain
  417. // the distributor of this malware is named mrwhite8391 and is
  418. // distributing malware from this home IP address.
  419.  
  420. // Conclusion? Don't RAT.
  421. // Knock Knock... v&
  422.  
  423.  
  424. // EOF //////////////////////////////////////////////////:-)//
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!