Fake OnlyFans MALWARE: Remcos Infostealer VBScript Stager

105,248

2,597 0

Published 2023-06-22

any.run/?utm_source=youtube&utm_medium=video&utm_c… || Make security research and dynamic malware analysis a breeze with ANY.RUN! Try their interactive online sandbox for free: jh.live/anyrun

🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

All Comments (21)

@iholo 10 months ago

My favorite part is when John is trying to hide that he knows Lana Rhoades
@grai90 10 months ago

Thanks John! Finally an excuse for my significant other to say on why I'm on OnlyFans. I'm doing it for the greater cyber security community!
@sofiaknyazeva 10 months ago

The thing is that they used VBS this time in a good and absolutely different way. As always great work John!
@blackisnotwhite 10 months ago

Nice to see Malware Analysis back! My favorite series!
@christenw.1726 10 months ago

I just came by after watching you with Dr. Auger on his show. Been a fan of yours for a couple years now. Thanks doing the fireside chat!
@debarghyamaitra 10 months ago

Not gonna lie...I jumped here seeing the thumbnail🤣🤣
@CZghost 10 months ago

Just a clarification: %WINDIR%\SysWOW64 directory actually contains 32bit program code. What SysWOW64 stands for is System Windows on Windows 64bit (which implies 32bit code emulation on 64bit Windows). The true 64bit binaries are actually in %WINDIR%\System32. So this VBS script actually checks if the system is 64bit, so it runs the correct 32bit application.
@AndyRome 10 months ago

Awesome teardown dude!
@preacher-cq4gc 10 months ago

Very much enjoyed this video! Keep up the good work
@fernandosantos3576 10 months ago

Thanks, John!
@generalreevis1734 9 months ago

Nice video!! Thank you
@declan_youtube 10 months ago

John doing Electron Exploit dirty in that ad 🤣
@user-wc5pi4cy7w 10 months ago

Hammond and Rhodes- best combo ever!!
@user-bf4hu7im5q 10 months ago

Thanks John for the quick answer, like John Wick's revenge hhhhhh .. Still expecting qualities as the old vids. Details matters you know. However we are not Fans but we are supporters. Good day to you !
@KevinColumbus 9 months ago

Thanks for the heads up, Seth Rogan!
@logiciananimal 10 months ago

The colon in a traditional BASIC is a multiple-statement-per-line mechanism. So putting :: just does nothing, though it is syntactically correct.
@cadsticcadsticc1322 3 months ago

As someone fairly new to these thing... OH My God... as someone who is interested in these things...Oh My God. Finally, as someone who is slowly,. Very slowly learning these things... Thank you.
@Gobillion160 10 months ago

anyrun is goated
@nachoherrera 10 months ago

that "rompepepe" variable makes me think the developer is argentinean. "Rompe Pepe" was a catchphrase of a sketch in the humoristic tv show of the ninetees (Videomatch). It was a hidden camera prank where a team of workers want to make a hole in someone sidewalk, so the owner of the house argues with the crew and one of they says "rompe Pepe!" ("break it Pepe") to Pepe, the guy with the sledgehammer making the victim of the prank angrier.
@jjann54321 10 months ago

If only I had $100+USD to spend per month on "Pro Mode" AnyRun, maybe I can be like Mr. Hammond one day. Haha In all seriousness, great vid John, thanks for all the info you give to the community.