@SimonMKWii please stop talking, you look so foolish right now
or don't, it's funny to watch you do this to yourself
or don't, it's funny to watch you do this to yourself
Funny, I did that and I don't see anything, it just try to decompress the resources. (as I can see)Extremely simple, open the application, open x64dbg and attach the process.
Then look through the memory map, and extract the files.
Feel free to infect your computer, I don't care, just trying to warn you.@SimonMKWii please stop talking, you look so foolish right now
or don't, it's funny to watch you do this to yourself
@SciresM I don't know what the fuck you said about me, but an explanation and some context would be extremely nice.
So, @ZoNtendo, when you said "but I remember SciresM talking about you and it wasn't for good stuff", what were you referring to.What? I don't think I've said anything about you that's contextually relevant here.
it's fairly obvious you're just grasping at straws rn, and given your track record you're not exactly a reliable sourceFeel free to infect your computer, I don't care, just trying to warn you.
i think they're probably referring to your comment in his hacdn thread, but i'm not entirely certainWhat? I don't think I've said anything about you that's contextually relevant here.
It's literally one of the first things you see in the program's RAM objects.it's fairly obvious you're just grasping at straws rn, and given your track record you're not exactly a reliable source
i think they're probably referring to your comment in his hacdn thread, but i'm not entirely certain
I mean, from ReSwitched, everyone is bitching about you.So, @ZoNtendo, when you said "but I remember SciresM talking about you and it wasn't for good stuff", what were you referring to.
Who's "everyone"?I mean, from ReSwitched, everyone is bitching about you.
that's too, now this thread is garbagei think they're probably referring to your comment in his hacdn thread, but i'm not entirely certain
everyone when a drama start about you, like with your titlekey website...Who's "everyone"?
honestly it's not worth my time to check for myself, especially if you're the one producing "evidence" that consists of about 20 pixels of a rat icon and a string of java code in image format.It's literally one of the first things you see in the program's RAM objects.
It's clear you didn't even attempt to debug it, you'll see it nearly instantly.
OK, it's your choice, but don't come running to me if something bad happens.honestly it's not worth my time to check for myself, especially if you're the one producing "evidence" that consists of about 20 pixels of a rat icon and a string of java code in image format.
i'll keep using this tool, thanks
I'm not seeing anything in particular either, the provided instruction to reproduce appears to be incredibly vague. I'm also not seeing many files left behind (a config file and a log file) and no processes appear to be left running either which is something one might expect from a RAT.Funny, I did that and I don't see anything, it just try to decompress the resources. (as I can see)
Yeah, I did notice that, it seems a bit odd, usually a Java process would be running in the background, I'm going to investigate further.I'm not seeing anything in particular either, the provided instruction to reproduce appears to be incredibly vague. I'm also not seeing many files left behind (a config file and a log file) and no processes appear to be left running either which is something one might expect from a RAT.
Are there any dropped binaries? Have you tried running it in Sandboxie to see? Keep in mind that .NET malware likes to inject itself into the .NET console in order to break out of sandboxing and to seem inconspicuous. Just because nothing is apparent in your process list doesn't mean that the malicious party isn't using some shitty ring3 kit (supplied by a crappy crypter) to bypass first glances. I'm checking this out too. I'll report back if I find anything interesting.Yeah, I did notice that, it seems a bit odd, usually a Java process would be running in the background, I'm going to investigate further.
Well, he did find the jRAT icon in the binary. He's either trying entirely too hard, or the author is a skidmark that uses shitty, free RATs. If a jRAT binary is found, we'll have the IP/DNS it connects to as well as SMTP settings and the password used for the backconnect because jRAT stores this shit in plaintext. This said, I'm doing my own analysis so I don't come off as biased.Simon, please stop. You're defaming the authors of this software.
The only network activity this program has is to check Github for new releases.
This program is .NET-only.
Please provide evidence of your claims.
Make a RAM dump of the app with Process Manager, go to the folder of the dump, download the jrat icon he posted, and try to search the icon with an hex editor.Well, he did find the jRAT icon in the binary. He's either trying entirely too hard, or the author is a skidmark that uses shitty, free RATs. If a jRAT binary is found, we'll have the IP/DNS it connects to as well as SMTP settings and the password used for the backconnect because jRAT stores this shit in plaintext. This said, I'm doing my own analysis so I don't come off as biased.
I don't use Windows. Sorry to disappoint. You'll get my analysis when it's ready.Make a RAM dump of the app with Process Manager, go to the folder of the dump, download the jrat icon he posted, and try to search the icon with an hex editor.
I didn't find anything.
@SimonMKWii take notes tbh. this guy's approach is much better than "here's a png of a rat embedded in the program(?) and an image of some java i found in a hex editor once". dunno if you're trying to say that's in the program itself, but i certainly haven't found any sort of java from the ram dump i did. environment variables with my java path, yes. harmless javascript, sure. anything like what you posted, nah.Well, he did find the jRAT icon in the binary. He's either trying entirely too hard, or the author is a skidmark that uses shitty, free RATs. If a jRAT binary is found, we'll have the IP/DNS it connects to as well as SMTP settings and the password used for the backconnect because jRAT stores this shit in plaintext. This said, I'm doing my own analysis so I don't come off as biased.