General
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
Sample
240902-c16ghszgkh
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Static task
static1
Behavioral task
behavioral1
Sample
krunker.iohacks.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
krunker.iohacks.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
C:\Users\Admin\Documents\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c610cd1bf549367
https://mazedecrypt.top/6c610cd1bf549367
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9ILCPM_.txt
cerber
http://xpcx6erilkjced3j.onion/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.1n5mod.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.19kdeh.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.1mpsnr.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.18ey8e.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.17gcun.top/828B-A048-B644-0098-B002
Extracted
stealc
cry
http://193.176.190.41
-
url_path
/2fa883eebd632382.php
Extracted
http://192.168.5.128/powercat.ps1
Extracted
redline
Logs
185.215.113.9:9137
Extracted
F:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c6f0cb68d9a5830
https://mazedecrypt.top/6c6f0cb68d9a5830
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\_R_E_A_D___T_H_I_S___3QQDXUI_.txt
cerber
http://xpcx6erilkjced3j.onion/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.1n5mod.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.19kdeh.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.1mpsnr.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.18ey8e.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.17gcun.top/E5DB-4FF6-F4B6-0098-B935
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
redline
PO
147.124.222.241:47056
Extracted
lumma
https://consciousourwi.shop/api
Targets
-
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Score10/10cerberdcrathawkeyemazeneshtaphorphiexramnitstealctroldeshwannacrycrybankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerloaderpersistenceprivilege_escalationransomwareratspywarestealertrojanupxwormasyncratlummaredlinesectopratdefaultlogspomacromacro_on_action-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload
-
Modifies security service
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Phorphiex payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (1170) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Scripting
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
11Obfuscated Files or Information
1Command Obfuscation
1Scripting
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1