Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ,-------------------------------------,
- / /
- / PEST CONTROL! August 2017 /
- / /
- -------------------------------------`
- |\| |\|
- |/|/ |/|/
- |/ _, .---.__c--. |/
- / (__( )_._( )_`_> /
- `~~" `~"
- [Ratting on the RATTERS - issue 0x01]
- $ whoami
- fox
- ...because nobody likes a skid
- RATTING is sad. RATTING is lame.
- // 0x1 ///////////////////////////////////////////////////////
- Find stubs / packers / misc malware
- // Site .... Youtube.com
- // Keywords .... Hack tool download
- // Result
- https://www.youtube.com/watch?v=RDAzC1rxTts
- // 0x2 ///////////////////////////////////////////////////////
- // Fetch any linked archive download
- https://mega.nz/#!h2YjjKzD!e--XB1wQ0J8a9hKMq3_AgyJCdYXFCHnnYIe0-skk3Dw
- // 0x3 ///////////////////////////////////////////////////////
- $ unrar e Rust\ Plantinum\ Cracked.rar
- // 0x4 ///////////////////////////////////////////////////////
- // Appears to be a cheat for that game with naked guys and rocks.
- $ ls
- ClientPlugin.dll SQLite.Interop.dll
- Rust Plantinum Cracked 1.5.7.exe System.Data.SQLite.dll
- // 0x5 ///////////////////////////////////////////////////////
- $ file Rust\ Plantinum\ Cracked\ 1.5.7.exe
- Rust Plantinum Cracked 1.5.7.exe: PE32 executable (GUI) Intel 80386, for MS Windows
- // 0x6 ///////////////////////////////////////////////////////
- // Send that binded junk to virustotal
- // First time the sample has been analyzed, and holy fuck.
- Detection ratio: 58 / 63
- https://virustotal.com/en/file/0af9b967683c3e19661951bed41c8ad3eac0607147b71b0c745443206c57a2d1/analysis/1503789652/
- // We have a skid!
- // 0x7 ///////////////////////////////////////////////////////
- // Who has time to run this in a VM?
- // It's a cheat tool that acts as a dropper...
- // Let's see what kevthehermits RATDecoder has to say...
- [+] Reading file
- [+] Searching for Config
- [+] Printing Config to screen
- [-] Key: CampaignID Value: Guest16
- [-] Key: Domains Value: mrwhite8391.ddns.net:8015
- [-] Key: FTPHost Value:
- [-] Key: FTPKeyLogs Value:
- [-] Key: FTPPassword Value:
- [-] Key: FTPPort Value:
- [-] Key: FTPRoot Value:
- [-] Key: FTPSize Value:
- [-] Key: FTPUserName Value:
- [-] Key: FireWallBypass Value: 1
- [-] Key: Gencode Value: BZ8TyxZ4r2ms
- [-] Key: Mutex Value: DC_MUTEX-9TK1E8U
- [-] Key: OfflineKeylogger Value: 1
- [-] Key: Password Value:
- [-] Key: Version Value: #KCMDDC51#
- [+] End of Config
- // Looks like we have a DarkComet!
- // What year is it?!!?!?
- // 0x8 ///////////////////////////////////////////////////////
- $ nslookup mrwhite8391.ddns.net
- Server: 208.67.222.222
- Address: 208.67.222.222#53
- Non-authoritative answer:
- Name: mrwhite8391.ddns.net
- Address: 90.184.127.54
- $ whois 90.184.127.54
- % This is the RIPE Database query service.
- % The objects are in RPSL format.
- %
- % The RIPE Database is subject to Terms and Conditions.
- % See http://www.ripe.net/db/support/db-terms-conditions.pdf
- % Note: this output has been filtered.
- % To receive output for a database update, use the "-B" flag.
- % Information related to '90.184.0.0 - 90.184.127.255'
- % Abuse contact for '90.184.0.0 - 90.184.127.255' is 'abuse@fullrate.dk'
- inetnum: 90.184.0.0 - 90.184.127.255
- netname: FULLRATE-POOL-TWO
- descr: Fullrate-DK-CUSTOMERS
- country: DK
- admin-c: FULL-RIPE
- tech-c: FULL-RIPE
- org: ORG-TOTA1-RIPE
- remarks: +--------------------------------------------------------
- remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
- remarks: +--------------------------------------------------------
- status: ASSIGNED PA
- mnt-routes: FULLRATE-MNT
- mnt-lower: FULLRATE-MNT
- mnt-by: FULLRATE-MNT
- created: 2006-10-17T14:06:32Z
- last-modified: 2014-08-08T12:54:28Z
- source: RIPE
- organisation: ORG-TOTA1-RIPE
- org-name: Fullrate A/S
- org-type: OTHER
- address: Fullrate A/S
- address: Peter Maegbaek Madsen
- address: Telegade 2 bygn. 4
- address: 2630
- address: Taastrup
- address: DENMARK
- vphone: +4542124021
- fax-no: +4532154503
- descr: Fullrate
- admin-c: RL8463-RIPE
- mnt-ref: FULLRATE-MNT
- mnt-by: FULLRATE-MNT
- abuse-c: FULL-RIPE
- created: 2006-03-15T06:11:11Z
- last-modified: 2013-12-02T17:51:13Z
- source: RIPE # Filtered
- role: Fullrate Technical Contact
- address: Fullrate A/S
- address: Telegade 2
- address: DK-2630 Taastrup
- admin-c: RL8463-RIPE
- tech-c: RL8463-RIPE
- nic-hdl: FULL-RIPE
- abuse-mailbox: abuse@fullrate.dk
- remarks: +--------------------------------------------------------
- remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
- remarks: +--------------------------------------------------------
- created: 2006-10-26T15:01:43Z
- last-modified: 2013-04-04T09:11:12Z
- source: RIPE # Filtered
- mnt-by: FULLRATE-MNT
- % Information related to '90.184.0.0/15AS39554'
- route: 90.184.0.0/15
- descr: fullrate A/S
- remarks:
- ***************************************************************
- remarks: * Any abuse reports, please send them to *
- remarks: * abuse@fullrate.dk *
- remarks:
- ***************************************************************
- origin: AS39554
- mnt-by: MNT-FULLRATE
- mnt-by: AS3292-MNT
- mnt-by: FULLRATE-MNT
- created: 2006-10-12T13:38:53Z
- last-modified: 2017-05-12T04:49:57Z
- source: RIPE
- % This query was served by the RIPE Database Query Service version 1.89.2
- (WAGYU)
- // 0x9 ///////////////////////////////////////////////////////
- // Check the standard www ports.
- // Accessing port 80 of the RAT server, shows a generic
- // unfirewalled router login page for a ZyXEL VMG8924-B10A device.
- http://90.184.127.54:80
- // Appears to be a home connection (Fullrate-DK-CUSTOMERS)
- // When you can't port forward a single port, so you just disable
- // the entire firewall. Yep, that's what we're dealing with here.
- // 0x10 //////////////////////////////////////////////////////
- // Hello Mr. White!
- // At this point it's safe to say these are all publicly accessible
- // accounts/profiles of one skiddividual. He seems to like his
- // cheats and his games.
- // https://www.nulled.to/user/1101188-mrwhite8391
- // Skid forums
- // Account created 25th August 2017 (1 day before youtube sample)
- // https://ennui.ninja/forum/index.php?/profile/3283-mrwhite8391/
- // "rust" cheating software profile
- // https://chods-cheats.com/profile/24415-mrwhite8391/
- // More cheating software / forums
- // https://hypixel.net/members/mrwhite8391.1598335/
- // Gaming website, he hacked his own profile!
- // "Hackede by Mr. White / Skype: live:mrwhite8391"
- // (hacks his own profile...)
- // https://d3sk1ng.com/index.php?members/mrwhite8391.6868/
- // Discussion forum
- // Profile mentions, "Birthday: May 27"
- // http://www.voidraids.com/
- // Online store for sale of stolen user data
- // Mentions contact email: MRWHITE8391@GMAIL.COM
- // Transactions are processed through PayPal^
- // Also mentions discord chat server
- // https://www.reddit.com/user/mrwhite8391/
- // Reddit account mentioning sale of steam/minecraft accounts
- // http://www.d3scene.com/forum/members/mrwhite8391.html
- // Gaming forum
- // https://www.roblox.com/users/196134195/profile
- // Roblox game
- // http://www.mrwhite8391.tk/
- // Google cache
- // HKC - Hacked Accounts For Cheap Prices!
- // How To Buy. Contact us on Mail or Discord.*Discord is preferred!*
- // MRWHITE8391@GMAIL.COM. Contact Us On Discord.
- // https://archive.nyafuu.org/bant/thread/1746597/
- // Board spam
- // "mrwhite8391.tk" -- Denmark GeoIP location presented on post
- // 0x11 //////////////////////////////////////////////////////
- // 000webhost being used to serve stolen ratted userdata...
- $ nslookup www.voidraids.com
- Server: 208.67.222.222
- Address: 208.67.222.222#53
- Non-authoritative answer:
- www.voidraids.com canonical name = darkgrainstk.000webhostapp.com.
- darkgrainstk.000webhostapp.com canonical name =
- us-east-1.route-1.000webhost.awex.io.
- Name: us-east-1.route-1.000webhost.awex.io
- Address: 145.14.144.89
- Name: us-east-1.route-1.000webhost.awex.io
- Address: 2a02:4780:dead:1d0c::1
- GoDaddy also seems to be providing the domain
- $ nslookup voidraids.com
- Server: 208.67.222.222
- Address: 208.67.222.222#53
- Non-authoritative answer:
- Name: voidraids.com
- Address: 184.168.221.27
- // 0x12 //////////////////////////////////////////////////////
- // Discord chat (linked from above)
- https://discordapp.com/channels/332894635053809664/332894635053809664
- // Offline members:
- // JKR Jonas
- // Mr. Black
- // Mr. White
- // On load, shows previous chat history
- >>> BEGIN DISCORD CHAT LOG
- bruh - 08/13/2017
- bitches
- Mr. White - 08/13/2017
- ?
- bruh - 08/13/2017
- wanna fight scrub?
- Mr. White - 08/13/2017
- Lmao, kid...
- I've got a Steam account with 33+ paid games and it's worth over 200$
- U gonna buy?
- bruh - 08/13/2017
- never
- Mr. White - 08/13/2017
- Well i've got a Minecraft account too, that might fit your age
- bruh - 08/13/2017
- never
- White?
- Why not brown?
- mr.been!
- Mr. White - 08/13/2017
- Beacause you havn't watched Breaking Bad...
- bruh - 08/13/2017
- fucking sweet
- i'll rather watch the 100 tho
- Mr. White - 08/13/2017
- How did u even get in this discord?
- bruh - 08/13/2017
- found it on 4chan
- Mr. White - 08/13/2017
- Lmao after i got banned..
- - 08/13/2017
- @Mr. White
- Mr. White - 08/13/2017
- @#6535 ?
- Mr. White - 08/14/2017
- I wanted you to anwser me, but you didn't
- You've gotten a text on your phone. Send it to me.
- Now.
- Do it and i will delete all your information.
- @ToMaTokiller
- anniedion8@gmail.com
- What is your recover mail. U sent wrong code
- I will delete all information about you after this.
- anniedion8@gmail.com what is your recover mail
- Prénom de votre meilleur ami ?
- Anwser and this is over
- What is your best friends name
- Anwser or i'll release your family members information
- wrong
- wrong
- wrong
- Do not lie.
- Last Chance
- 184.162.177.179
- No
- Mr. Black - Last Thursday at 7:00 PM
- fd
- f
- f
- f
- f
- fff
- <<< END DISCORD CHAT LOG
- // 0x13 //////////////////////////////////////////////////////
- // So what have we found?
- // RAT malware .... DarkComet
- // User / alias .... mrwhite8391
- // Youtube .... http://youtube.com/channel/UCJrOL-tgMP_68jeO96Fj8-w
- // Discord .... https://discordapp.com/channels/332894635053809664/332894635053809664
- // Website .... http://www.voidraids.com/
- // Skype .... live:mrwhite8391
- // Gmail .... MRWHITE8391@GMAIL.COM
- // Reddit .... mrwhite8391
- // Net Address .... 90.184.127.54
- // Location .... denmark
- // ISP .... fullrate
- // We've correlated enough information to rat on this RATTING
- // skid. They are using their own home internet connection to
- // serve up a DarkComet server, and in the process of searching
- // online - we have found enough information to be certain
- // the distributor of this malware is named mrwhite8391 and is
- // distributing malware from this home IP address.
- // Conclusion? Don't RAT.
- // Knock Knock... v&
- // EOF //////////////////////////////////////////////////:-)//
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement