General
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
Sample
240902-c16ghszgkh
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Static task
static1
Behavioral task
behavioral1
Sample
krunker.iohacks.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
krunker.iohacks.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
C:\Users\Admin\Documents\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c610cd1bf549367
https://mazedecrypt.top/6c610cd1bf549367
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9ILCPM_.txt
cerber
http://xpcx6erilkjced3j.onion/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.1n5mod.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.19kdeh.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.1mpsnr.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.18ey8e.top/828B-A048-B644-0098-B002
http://xpcx6erilkjced3j.17gcun.top/828B-A048-B644-0098-B002
Extracted
stealc
cry
http://193.176.190.41
-
url_path
/2fa883eebd632382.php
Extracted
http://192.168.5.128/powercat.ps1
Extracted
redline
Logs
185.215.113.9:9137
Extracted
F:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c6f0cb68d9a5830
https://mazedecrypt.top/6c6f0cb68d9a5830
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\_R_E_A_D___T_H_I_S___3QQDXUI_.txt
cerber
http://xpcx6erilkjced3j.onion/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.1n5mod.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.19kdeh.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.1mpsnr.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.18ey8e.top/E5DB-4FF6-F4B6-0098-B935
http://xpcx6erilkjced3j.17gcun.top/E5DB-4FF6-F4B6-0098-B935
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
redline
PO
147.124.222.241:47056
Extracted
lumma
https://consciousourwi.shop/api
Targets
-
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Score10/10cerberdcrathawkeyemazeneshtaphorphiexramnitstealctroldeshwannacrycrybankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerloaderpersistenceprivilege_escalationransomwareratspywarestealertrojanupxwormasyncratlummaredlinesectopratdefaultlogspomacromacro_on_action-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload
-
Modifies security service
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Phorphiex payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (1170) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-