General
-
Target
Nurik Crack.exe
-
Size
17.1MB
-
Sample
240515-zjbbdaba7t
-
MD5
b7f43033dec1673444774fff98ce38a2
-
SHA1
98c5e478d0442b04610742dc997ad227f63ab5bb
-
SHA256
c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0
-
SHA512
7e04c6491b659a51ce33c25c4d1e246850228d3098f22c82d4aa25df2726d69ce8d784d0c40376516c1b78aa8d9a0d5c7a2d1b7b57572b04e9fa532a6dac7ee1
-
SSDEEP
393216:NUXX0vOtgLY3q/kXpUbIicANsdh9IvI4I4dHK/w/ZZqplCyLIr:CKaBPZUbIEyXuJPZGDIr
Static task
static1
Behavioral task
behavioral1
Sample
Nurik Crack.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
127.0.0.1:1337
104.28.229.13:1337
192.168.2.133:1337
-
Install_directory
%ProgramData%
-
telegram
https://api.telegram.org/bot6911706583:AAGIck5-GICDZLswgqJrJgL5L_TBxq7tj7Y/sendMessage?chat_id=6727135086
Targets
-
-
Target
Nurik Crack.exe
-
Size
17.1MB
-
MD5
b7f43033dec1673444774fff98ce38a2
-
SHA1
98c5e478d0442b04610742dc997ad227f63ab5bb
-
SHA256
c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0
-
SHA512
7e04c6491b659a51ce33c25c4d1e246850228d3098f22c82d4aa25df2726d69ce8d784d0c40376516c1b78aa8d9a0d5c7a2d1b7b57572b04e9fa532a6dac7ee1
-
SSDEEP
393216:NUXX0vOtgLY3q/kXpUbIicANsdh9IvI4I4dHK/w/ZZqplCyLIr:CKaBPZUbIEyXuJPZGDIr
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-