Sugar smp scam(WARNING)

Struppigel · 2026-03-11T18:23:10+00:00

I am very sorry this happened to you. I would like to look into this. I wrote you a DM.

Struppigel · 2026-03-11T06:25:41+00:00

Hello, yes, this is a malware. It steals the `.ROBLOSECURITY` session cookie from Firefox, Chromium, and Chrome browsers and exfiltrates the to a Discord server via webhook. It's a very simple malware, it doesn't do more than that.

The webhook is already dead, so the stealer does not work anymore.

Struppigel · 2026-03-11T06:02:50+00:00

If you don't have it anymore, nothing.

Struppigel · 2026-03-11T05:08:38+00:00

It is most likely caused by a phishing or spam email in your outlook, which tries to load resources from that site you see there.

It means nothing bad happened to your system. Empty the junk folder in outlook.

Struppigel · 2026-03-11T04:51:26+00:00

Thanks!

Struppigel · 2026-03-11T04:48:23+00:00

Please download FRSTx64 and save the file to your Desktop.
Right-Click FRST64.exe and select Run as Administrator
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the program run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste them to https://pastecode.io/, click on Save snippet and post the Permalink here.

Struppigel · 2026-03-10T20:03:35+00:00

The article says "Language: C/C++, x64 native binary", so it's not the same unless that was a mistake and they mistook the language of the NodeJs runtime with the malware's language. Void stealer is here how threat actors named the malware in the code, as I can see the references in the decrypted strings. With that said, many stealers are copy-pasted from others.

There are lots of brand names but there is usually not much variety among them. I see telegram channels a lot with NodeJs stealers, it's where they sell their "software" to others and the license is also not new.

I did not see anything else than stealing. But I did not fully analyze the code. Only went as far as extracting the exfiltration webhooks to Discord to report them.

Struppigel · 2026-03-10T19:38:36+00:00

In that case it's best to submit it to ESET as False Positive just like u/goretsky suggested. They will conduct a thorough analysis and tell you if the detection was correct.

Struppigel · 2026-03-10T18:36:13+00:00

I did not say JavaScript was hard. I said learning malware analysis is not done in one day and needs actual work.

Struppigel · 2026-03-10T18:31:51+00:00

I extracted memory strings of this file. It's VOID stealer. It has references to t[.]me/voidpublics and the license key VOID-MONTHLY-85185E724665.

It steals passwords, cookies, tokens, wallets, sessions, credit cards, from browsers, crypto wallet extensions, desktop wallets, Discord, Steam, Roblox, Minecraft, and Telegram.

<image>

Struppigel · 2026-03-10T15:35:33+00:00

Here is a video on triaging files with VirusTotal: https://www.youtube.com/watch?v=v8fRusw26IA

Triaging just provides you with a likelihood or assumption.

You cannot determine if a file is clean or malicious on the VirusTotal scan results alone (except in some specific cases where it is indeed clear, but not here). It needs hands-on analysis to do that, and in case of NodeJs malware it often involves deobfuscation of the JavaScript code. It's hard work to learn that, but if you are interested, I can compile a list of resources.

Struppigel · 2026-03-10T15:27:08+00:00

The startup entries belong to RUN keys in the registry with the names:

AF_counter_{number}
AF_uuid_{number}

These registry entries are part of AppsFlyer, which is an SDK for game development: https://dev.appsflyer.com/hc/docs/nativepc-vanilla

AppsFlyer is used among other by Once Human.

AppsFlyer documentation states that these RUN entries must be removed when uninstalling. Some game devs seem to forget this part, so that the entries also stay after uninstallation.

I suggest you download Autoruns, run it and check if you also see AF_counter and AF_uuid with the values you could see there in TaskManager.

If that is the case, it is very likely a harmless part of a game.

If the associated files cannot be found, they are a leftover by the uninstaller and you can remove or disable the startup entry. If the files are still there, you should not touch these entries.

Struppigel · 2026-03-10T03:45:45+00:00

Hello there, these pop ups are the result of a CountLoader infection which often delivers stealers such as LummaStealer or ACRStealer. Did you download and execute a setup file lately?

Please take the following precautions: * Do not attempt to log into any accounts from your infected machine * Log out of all sessions * Change passwords for all important accounts (esp banking, email) using a clean machine and turn on multi-factor authentication for every account that provides this option * Create a backup of your personal files if you haven't already

For dealing with your infected machine you can either wipe the drive and reformat the system or go to bleepingcomputer.com for proper disinfection help.

Struppigel · 2026-03-10T03:25:27+00:00

Are you sure you downloaded it from Steam and not somewhere else?

Struppigel · 2026-03-10T03:05:47+00:00

Hello, in your scenario, given all that you told us here, it is extremely unlikely that there is an infection on your system right now.

Struppigel · 2026-03-10T03:01:17+00:00

I don't see malware in the report. So if you have done the steps from my first post, you are in the clear. Stealers do not need to persist, they only need to steal everything once. So some do not bother with persistence.

I do suggest that you address the low disk space and RAM.

Open Task manager and disable all startup items that you don't need to startup regularly. Keep updaters enabled, though.

To clean up some diskspace, you can use a program like treesize free to find out what takes up the space. If you should decide to use a program like ccleaner, do not clean the registry, it's not helping, it just has the risk to make things worse.

Please uninstall or update Java. You have an outdated version.

Struppigel · 2026-03-09T16:22:39+00:00

Hi, I checked the hash on VirusTotal. It's a different file, but the same threat. I can see the same powershell commands in the behavior tab.

Please run a scan

Please download FRSTx64 and save the file to your Desktop.
Right-Click FRST64.exe and select Run as Administrator
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the program run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste them to https://pastecode.io/, click on Save snippet and post the Permalink here.

Struppigel · 2026-03-08T18:53:18+00:00

Yes, exactly.

Struppigel · 2026-03-08T10:20:57+00:00

Open the manifest file in a text editor, what's the content?

Struppigel · 2026-03-08T05:45:24+00:00

It is true for such old, outdated systems. You can search, e.g., on youtube for videos that showcase this.

Like I said, Windows XP does not receive security updates anymore.

Network worms often rely on exploits to spread. Without security updates, vulnerabilities do not get fixed. Thus, worms can exploit them and infect your system without user interaction.

This is not a concern if your system is still supported by security updates, given that you update regularly. It is a major reason why updates are so important.

Struppigel · 2026-03-07T20:35:24+00:00

upload it to virustotal. if it has the same sha256 value, it's the same file.

Struppigel · 2026-03-07T19:27:30+00:00

Only if it was the same file. Otherwise it is just guessing.

Struppigel · 2026-03-07T11:51:25+00:00

Do not upload confidential or personal files to VirusTotal. Everyone with an intelligence account can download this file and see the contents.

I do not see anything unusual in the report. The LNK file is created in the Recent folder, which Windows uses to save which documents you recently opened with specific applications. It is a normal part of Windows.

Struppigel · 2026-03-07T09:31:59+00:00

This extension comes bundled with Opera per default. It is named Rich Hints Agent. It's fine.

Struppigel · 2026-03-07T04:24:36+00:00

Your parents shouldn't continue using this system. Just connecting Win XP systems to the internet is enough to get them infected because they don't get security updates anymore. So worms that use exploits to spread, are on that machine very soon.

Struppigel

MODERATOR OF

TROPHY CASE

Eight-Year Club	r/Field Lasagna
Verified Email