RussianPanda95

SmartApeSG domains:

aionrevenge.com
46.17.43.112
3pline.com
tqshoes.shop
testmotodart.pro
raptwinter.shop
10086623.top
internationalcricketboard.com

RussianPanda95

URLs serving malicious Chrome extension:

tchk-1.com/v3.bs64
ps1-local.com/obfs3ip2.bs64
root-head.com/2708.bs64
root-head.com/25082.bs64
root-head.com/2508.bs64
root-head.com/2408new3.bs64
opensun.monster/25053.bs64
root-head.com/1408new3.bs64

RussianPanda95

SHA-256: 0a5c087ebc6df5cd251128903ecf1f46e13b020bc9b36d8ba4c097c067fb249d
Config: {
    "uuid": "7b2a34ce27374b1ba3440bd5ef1515d9",
    "user": "gogotest",
    "buildid": "1",
    "C2": "http://79.137.192.4/p2p",
    "staging_folder": "/tmp/out.zip"
}
SHA-256: 0c11f43e9c111397fec3524feb17bf146232b11be1b4256f7f2ebf1322f01cb5
Config: {

RussianPanda95

{
    "v": 4,
    "se": true,
    "ad": false,
    "ex": [
      {
        "en": "ejbalbakoplchlghecdalmeeeajnimhm",
        "ez": "MetaMask"
      },
      {

RussianPanda95

gecko;discord;chromium;download;grabbers;extensions;processGrabber;dll;ebaltvoumamashuazazazaza




Firefox
%USERPROFILE%/AppData/Roaming/Mozilla/Firefox
Waterfox
%USERPROFILE%/AppData/Roaming/Waterfox
K-Meleon

RussianPanda95

Decrypted string at address 0x1000224f2: osascript -e 'display dialog "Required Application Helper. Please enter passphrase for 
Decrypted string at LEA: ." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper" with hidden answer' at 0x100022629
Decrypted string at address 0x10002278a: 
Decrypted string at address 0x100022b9e: pwd
Decrypted string at address 0x10002aa3c: Chromium/
Decrypted string at address 0x10002ad8d: Profile
Decrypted string at address 0x10002c328: /cookies.sqlite
Decrypted string at address 0x10002c5cd: /formhistory.sqlite
Decrypted string at address 0x10002c872: /key4.db
Decrypted string at address 0x10002cb17: /logins.json