General
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
Sample
240410-klp5zscg81
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Static task
static1
Behavioral task
behavioral1
Sample
krunker.iohacks.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
krunker.iohacks.exe
Resource
win10-20240404-en
Malware Config
Extracted
C:\Users\Admin\Documents\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Extracted
quasar
1.4.1
Office04
45.88.186.209:4782
e70efcae-9ec5-4682-aa19-15651d4d8cc8
-
encryption_key
4EF1547B5DB5058DCCEB6A60D48A54C35026D8D5
-
install_name
gfhgfgjgf.exe
-
log_directory
dfdfsf
-
reconnect_delay
3000
-
startup_key
hgfhjjhgj
-
subdirectory
ghghghfg
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c2d0cc345af21bb
https://mazedecrypt.top/6c2d0cc345af21bb
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\_R_E_A_D___T_H_I_S___Y4BWWGQ_.txt
cerber
http://xpcx6erilkjced3j.onion/65A2-CA4A-3F69-0098-B994
http://xpcx6erilkjced3j.1n5mod.top/65A2-CA4A-3F69-0098-B994
http://xpcx6erilkjced3j.19kdeh.top/65A2-CA4A-3F69-0098-B994
http://xpcx6erilkjced3j.1mpsnr.top/65A2-CA4A-3F69-0098-B994
http://xpcx6erilkjced3j.18ey8e.top/65A2-CA4A-3F69-0098-B994
http://xpcx6erilkjced3j.17gcun.top/65A2-CA4A-3F69-0098-B994
Extracted
C:\PerfLogs\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6d4d0cdc4956aaee
https://mazedecrypt.top/6d4d0cdc4956aaee
Extracted
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Extracted
remcos
Go!!!
dangerous.hopto.org:2404
dangerous.hopto.org:2602
91.92.242.184:2602
91.92.242.184:2404
-
audio_folder
??????????? ??????
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
taskhost.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
tapiui.dat
-
keylog_flag
false
-
keylog_folder
System32
-
mouse_option
false
-
mutex
???-LDKG91
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
?????????
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
redline
45.15.156.37:110
-
auth_value
19cd76dae6d01d9649fd29624fa61e51
Targets
-
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload
-
Detect Vidar Stealer
-
Detect ZGRat V1
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Contacts a large (1462) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
5Scripting
1Virtualization/Sandbox Evasion
2