Embedded Files
DISCLAIMER: selling other people's accounts online is illegal. I do not condone such actions.
If you have been caught up with the most recent additions to HIBP, you will have heard of the ALIEN TXTBASE dataleaks. Passwords aside, infostealer logs are a treasure trove to scammers, spammers and account crackers who sell people's accounts online. Such accounts can belong to Netflix, Crunchyroll or NordVPN. Anyways, the ALIENTXTBASE files contain the usernames and passwords for millions of different accounts. Malicious actors do NOT have the time to manually test every single account to make sure it works before selling it to the market. They automate the checking progress with automation tools. One such tool is OpenBullet. A favorite amongst amateur scammers who have little to no experience with coding or information security. OpenBullet on its own doesn't really do anything, it needs configs in order to become an account cracking supertool. Such configs give openbullet instructions on how to mass check accounts which are fed to it. Many amateur account crackers will purchase configs from Telegram channels and then feed info stealer logs into OpenBullet to filter through legitimate and working accounts to sell.
The problem? People don't like to spend money on configs.
I wanted to research how much of the ALIEN infostealer content contained working accounts. I had previously found that Crunchyroll is notoriously bad at securing their customer's accounts after they have been leaked, so I immediately searched for "crunchyroll svb configs 2025", and selected the first result.
What many amateur account crackers don't know is that these configs can be weaponized. Openbullet can do fun things like download items via web requests and run executable files. Put these two things together and your config is now a dropper.
I think you know where this is going. I inspected the config and noticed that there are some weird looking cookies.
It doesn't take a genius to piece together that these "cookies" get combined to make a URL, and online 117 that is exactly what happens. Openbullet makes a request to the pastebin link and this is the result.
This looks like a resource locator for github. Sure enough, the config makes a request to github by using the pastebin resource locator.
Just like that, a shiny new executable file appears on the computer. We will come back to this executable later. For now we jump to the end of the file where we see a base64 string.
Decoding this results in a Telegram link, which you definitely Shouldn't spam with the bee movie script.
Alright, so downloading the suspicious EXE from github...
What an inconspicuous EXE file. Lets look at it. A quick strings and run through with Ghidra reveals that this is likely a SEIDR stealer.
An article by flashpoint gives a lot of good information about this specific piece of malware. Pushing this into virustotal reveals that it is obfuscated using DotnetReactor. We are dealing with a C# binary.
Ruh Roh, I don't wanna install suspicious a suspicious .Net Reactor deobfuscator! It's off to dynamic analysis!
To be continued? If not, the moral of the story is don't run code you don't trust.
Google Sites
Report abuse