MaksRAT

Soon there will finally be something big. And now GPT has shown that there are already many articles about me, which makes me happy.

@ShadowOpCode @vxunderground I'm sure I showed it to you earlier.

@MaksRAT_Off @vxunderground are there malwares in?

What do you think about this server? discord.com/invite/PvzE7v5… @ShadowOpCode @vxunderground

@ShadowOpCode @vxunderground Of course, this server is parodying me

Saw some report on a information stealer named MaksStealer, or MaksRat, or something. Written in Java, multi-staged, delivered from some Minecraft place. The dude makes it pretty clear he's just a kid, probably around 17 years old. He seems pretty happy Threat Intelligence and Malware Analysts have looked at his work. Proud of you, kid. You shouldn't facilitate crime and steal peoples identities and/or credentials, or operate a Malware-as-a-Service campaign, but the code looks pretty solid. You get a cat for being a clever kid.

@JaromirHorejsi @malwrhunterteam so many max xD

@Oliver7203 @malwrhunterteam the hash mentioned in this thread is a downloader, which downloads several components, and some of them belong to a stealer. It also steals minecraft credentials. The autor is probably max/maks/maxim. Also domain hosting the stealer begins with maks....

"RAT_Builder.jar": ec4e915484b22a46b5581ef39695832191c557bf4d9bd8238da468ad9e8a75ae 😂

@malwrhunterteam @vxunderground Well, still, trusting everything you see in the text is not very wise either.

@vxunderground About that guy: x.com/JaromirHorejsi…

Hello to all newcomers! xD

@vxunderground Thx for cat

@ShadowOpCode github.com/skidfuscatorde…

@MaksRAT_Off are you using this obfuscator? github.com/superblaubeere…

Found another suspicious Java malware in the wild First upload: 11 april VT: virustotal.com/gui/file/5b8cd… bazaar: bazaar.abuse.ch/sample/5b8cda1… Same encryption method as #MaksStealer #Malware #ThreatIntel

@ShadowOpCode after last update now use skidfuscator

@ShadowOpCode @finsub26373 As for the analysis of this "ecosystem", just go to the server that gave it to you and ask them.

@finsub26373 Appreciate you sharing this! Great to identify the obfuscator – every piece helps when dissecting these Java stealers and mapping their ecosystem.

@ShadowOpCode http://146.103.40.110:6969 Thank you for reminding me of my childhood. I loved analyzing code like this. I also use skidfuscator, but here it's used Bozar.

@ShadowOpCode @vmray or wait you say about change code in rat? I was getting an error in newer versions of minecraft, so I had to change.

@MaksRAT_Off @vmray The fact that you're changing things after my report says it all. Next time, try harder. I’ll still find you.

🚨 Alert: Emergent Java stealer flying under the radar of most AVs 🔍MaksStealer masquerades as a Minecraft mod to steal browser credentials, Discord tokens and crypto wallets. The obfuscated code shows that the stealer downloads additional Java payloads from the C2. In a nutshell: 📉 Only 3/65 AV detections on VT after a month since the initial upload 🗝️  Steals Discord tokens, crypto wallets, and credentials of Chrome, Opera GX, Edge, Brave, Vivaldi, Yandex 🔐 Config strings are encrypted with DES, Blowfish or XOR 📦 Downloads additional Java payload from C2 🕵️ MaksStealer is also known as MavenRAT or MaksRAT Check out VMRay's Dynamic Analysis report to get insights on behavior and detections others have missed: lnkd.in/db3iduFT Sample SHA256: 35f4a76fa14442f679e6f6d3908e5572d24025e9809abecc532350f542b52bfa

@ShadowOpCode @vmray Calm down, I'm not hiding or fiddling with anything. I'm just glad to be noticed I'm happy to talk to you and point out the whole mountain of RATs that exist on Hypixel.

@ShadowOpCode @JAMESWT_WT @suyog41 @naumovax @RussianPanda9xx @malwrhunterteam

Hi guys, I just now saw how much you've been watching me, I really appreciate it and I just wanted to say hi to you guys @ShadowOpCode @JAMESWT_WT @suyog41 @naumovax @MalwareHunterTeam @RussianPanda9xx