Cracking 🛡️ CONFIG MALWARE SCANNER — Advanced Threat Detection for SB/OB

[dEEpEst]

CONFIG MALWARE SCANNER v1.0 — Advanced Threat Detection for SB/OB

---

What is it?
CONFIG MALWARE SCANNER v1.0 is a forensic analysis tool that scans SilverBullet, OpenBullet, and OpenBullet 2 config files for signs of malware infection. It detects hidden behaviors like execution, persistence, exfiltration, and malware download through obfuscated cookies.

---

Detected Threats:

• Malware downloads via direct .exe, .scr, .xe file links
• Silent execution using cmd, powershell, or ShellExecute
• Persistence mechanisms in registry or startup folders
• Exfiltration of data to remote services like Pastebin, GitHub, Discord, etc.
• Cookie-based obfuscation to build malware URLs and payload paths
• Dynamic URL chains assembled from multiple cookies

---

Flag Table:

Flag	Meaning	Main Trigger
download_exe	Detects direct executable file downloads	Line like -> FILE pointing to .exe, .xe, .scr
exec_local	Detects local command execution	Usage of BROWSERACTION Open, ShellExecute, cmd /c, start "", powershell -e
persistence	Detects persistence mechanisms	Entries like \Startup\, \Run\, reg add, schtasks
exfiltration	Detects data exfiltration to suspicious domains	URLs to pastebin, ghostbin, rentry, .php, IPs or Onion links
obfuscated_cookies_url	Detects use of cookies to hide full URLs	Cookies like "hst:", "hdp:", "htp:", "hht:"
obfuscated_file_write	Detects file writes using cookie logic	Lines like -> FILE "<COOKIES(...)>/file.exe"
suspicious_cookie_chain	Detects chained cookies forming suspicious paths	Multiple cookies generating URLs to .php, cdn.discordapp.com, raw.githubusercontent.com

---

Output Example:

📊 Final Scan Summary:

Total scanned: 37

Clean files: 33 (89.19%)

Infected files: 4 (10.81%)

🚩 Flags among infected files:

download_exe 3 (75.00%)

exec_local 2 (50.00%)

exfiltration 2 (50.00%)

obfuscated_cookies_url 1 (25.00%)

=== Detailed Results (1 line per file) ===

stealer.config | INFECTED | download_exe, exec_local, exfiltration | URL: https://dropper.malware.xyz/bin/payload | File: temp32/payload.exe | Exec: cmd /c start
safe.config | CLEAN | None

---

ScreenShot:

---

How to Use:

Run ConfigMal.exe

You'll be asked to provide the config folder path (or use the default).
All .anom, .svb, .loli, .config, and .txt files will be scanned.
Infected files will be moved to /quarantine/.
A full report will be saved to infected_config_report.csv.

---

Developers:

• Main Developer: @dEEpEst
• Collaborator: @itsMe

---

Feedback & Request:

I'm listening to your feedback and requests, they are welcome.

---

Disclaimer:
This tool is strictly for ethical research and analysis purposes only.
Do not use it on unauthorized or stolen configurations. Always respect legal boundaries.

---

Project Link:
Maybe

This link is hidden for visitors. Please Log in or register now.

---

Download:

NEW VERSION

---

Made for Hack Tools Dark Community

 

[dEEpEst]

Config Malware Scanner – Update v1.2 ​

Release Date: 2025-05-24
Author: @dEEpEst
Collaborator: @itsMe

---

What's New in v1.2 (Compared to v1.0):​

New Detection Capabilities:

• base64_obfuscation: detects Base64-encoded payloads commonly used in malware.
• hex_obfuscation: detects hexadecimal-encoded payloads and commands.
• string_concat: identifies suspicious string concatenation patterns typical of obfuscated scripts.

Demo

Integrated Deobfuscation Logic:

• Automatically decodes Base64 and Hex strings if detected.
• Partial decoded output shown directly in the terminal and CSV report.

Improved Report Output:

• New Deobfuscated field in both the summary and CSV output.
• Enhanced formatting with explicit columns: Exec, File, URL, Deob.

Better Terminal UX:

• Updated banner to reflect v1.2 clearly.
• More expressive status output ( INFECTED, CLEAN, etc.).

Smarter Heuristics:

• Exfiltration detection also applied to reconstructed URLs from cookies.
• Avoids duplicate flag logging to ensure accurate statistics.

---

Affected File:​

• ConfigMal.py: Main scanning engine updated.

---

Quick Usage:​

Download:​

File saved with ID: 83e99b3cad00473aa82fe5878f42e0ae
Download link:

This link is hidden for visitors. Please Log in or register now.

Password: htdark.com

Run ConfigMal.exe

Place your .anom, .svb, .config, or .txt files inside the configs/ folder. The scanner will detect infections, move them to quarantine/, and generate a report named infected_config_report.csv.

Sample Output:​

Filename    | Status      | Flags                        | URL                    | File         | Exec           | Deob
------------|-------------|------------------------------|------------------------|--------------|----------------|--------------------------------------------
stealer.svb | 🚨 INFECTED | base64_obfuscation, exec_local | https://malicious.com/payload | C:/Temp/run.exe | powershell -e | Base64: cGF5bG9hZA== -> payload...

Status: ​

You can safely migrate from v1.0. It is recommended to remove the old version to avoid confusion.

---

​

Feedback & Request​

Guys, I'm looking forward to your feedback and requests for this tool. Clicking on Reputation also helps keep the project going.