Overview

overview

10

Static

static

3

クラック.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    クラック.exe

  • Size

    17.8MB

  • Sample

    240909-zzvd7ascqf

  • MD5

    61bcb94052e57f07e8c662a80d8c29c1

  • SHA1

    db9d2e9e37eddedc1722727e8ce5a0a242a9ff10

  • SHA256

    3b0cfdd500288507ec287e0e2f33d7acb7a2bcad1537fcfb29a47a4fa7cc23a6

  • SHA512

    7f9f9c2c6cd5dd49baf6791808e5a31c9e4726d27f87aaad8e2df75ab2a0dbf20956d0bab8761a9e742d1fa85052f9f7f0ae8e6cf269a0761053786e547935a1

  • SSDEEP

    49152:U6m1Vv6+nTCnjhT5iD1hTIUGzVnDk7Q3xCDza91PU3i/hv/kklWHvv7vTRZOp6/u:Um

Score
10/10
asyncratdcratnjratremcosstormkittyxloaderaugust crypter toolz grace stubdefaulthackedkosomk 555чучундраeidodefense_evasiondiscoveryevasionexecutioninfostealerloaderransomwareratstealertrojanupxvmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

чучундра

C2

hakim32.ddns.net:2000

safety-bronze.gl.at.ply.gg:4444
Mutex

27b92504703b09d3ee2dae0873e8e3f3

Attributes
  • reg_key

    27b92504703b09d3ee2dae0873e8e3f3

  • splitter

    |'|'|

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes
  • reg_key

    bf7b1fe7a7644171a9985ea45221c25c

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

kosomk 555

C2

dovelabobzgnan.ddns.net:5552

Mutex

a8c0d4cf5cfc2cc1149b5e071c2ab5df

Attributes
  • reg_key

    a8c0d4cf5cfc2cc1149b5e071c2ab5df

  • splitter

    |'|'|

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

C2

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    -YFLE4M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\OWLTYP-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OWLTYP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/76acb89d2bc7cc06 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAI2oDtIVi9i+zikXZe+EvWHoRswhMX3mfrKHo3kO23/M5gTF5bmakBJ9BKzv7rnLye03yFjajh/e9OaJdluTWXmMfTVkgu6CDLDurR+TddW1La0f96jeP7tDIJ7Ib+g3OE+ppnNQL6BSEuHPQ+VfV6CrR9nKKko4UzyCa+5cBJDv4MUKTA2u2RqbvoWYC1fXe1K9tR2KfOo4JZETV9bmz/4pfZg9r29VAjpL8ht+h+QF3mcTXeHupanTHLpLvzCX9OJxT/pNG2/bMkv0r8zXBULrtbCdyWbWhD9Wasc19AAfPD8lwdEFTd6lLoE0M6tjp/TbCTISTEDY1pu9QVuuVJCp7efFYzw8Ycg7/fZ0+HOBCfGL92Lb4rLKxQYMa2rJS5Rf8iHijRnAN/m1UNiGut3w4eB8mykwTjoPbtJQtdPa1n8G90hgpx/4a8AtbMVT/82zeOalf+UxBNWNp1gIctqMuHKW5txIkzvqXEtXyrkzxhyUE79JpHrd9sug23h79nrMenFNxoevDk6RD30xkZmAWGWDE3wII4QYe/IVQGKaAqs4zjzQ2nGZ+1rlQ/zeprp2zd7NhEhmtGbzUJFiqz2b1L/QYzABJk0IBvFpZCnB0MkaGtknQ+zHhFMYp8HOkajLGAN6ESJ80kiN6gOlsRtfUMWxxFYRY2V2NhAixt2xox1+a/a95ReUV69g0upF10lzX/7PwdF93bd1LaAdoU1vEbhlZAoY76d0ePtYugIbArKm7D7CL2llE6VtRPWAYN3RJld6ALIo/Rpvx91TcxHYagWCVpuqdm0gXiRBqpYAZIKZ0GyAApBoobuJM8g/32ymh5MIkuD5+3BMR3qRQ6WGptxUGt8WJND98kExL5sG7fmUOcwgwkRWSqBN0LuyQrDnJxmMaXnx4hFRHOIFUAP058bml52XmiDSS+d5EWzdtwzJS9ZcPgr/YfXJccwfuU4D9aGzVrOkxyL7QfRXFmZBedswfYRWPX1o7hxJVE4ipxtQv/39CE3W2+pWUYlgDaFyVTKxNkhAxHCJSW5AUAcb6cxkbHrTyNGutk+rb98mJlT++p+of1iy69C0pbC1OZ8uKUsSoLCMs/9hr2GkI1sf2nLrbg3QDKFoVkyuJB7Z6wJIzIs+DuS4PDp4zMt/pKG7Iz4BUd0SagD2kjNiSx2nnkcwps1pJoOmcBYk/G620kFquvPfZpwAIyw/V6DHeFeMMzCyO2tgTyEGOUhPkZeAFJLTpYSbRTRltMS6azciW2qQrk4Y+YjKU5qkM8hYKoq0/iU3IAmD+xNm/R9NamvOmcx1wqi8KFLvhocAVnRcFVHc5BiTuH8NCJjhPZu9Ia5c7iCo1ZjVF8kYfQh/+Q/LkEhN962V8dAjYw9hK8HPY32uKsqsr/xEp7ceJ6Kda2zDc38Xl11wjM6febBpVSIndqXtgauVaXMN1SfcwsBrUNwD6tSJ+TX5j7J2cOYv7IDhRk/gxqAkB1VrRmJezeNAu86C0Z6T4KW6peHcnNv+hmkhCxRXtHsT/AnOingWTaDdU19fW+SQiotpqYDAuW/pd0aPbBdmHt9LIjpc260c5S7RUEXBJKpQ/19ZyqBmjWsZjbY5rvZDFcTpWFV2/aCpNkXjVL/EHjQJKqpDoN9KG4Ky09khsiLhsfIE1/vVcISVtie7NaJmUNi18eWqc35H0fDXU52cngYNXGdragxsBILgNESzGb3Mae756w5kcjo6xFWR9uH3gHHkBIJRiZlI68OuGXX0wforLUjOP9K0pgD3a7vlRgWBMwLyuBAAt37fW4/3RBqU+NoQG+rot94oO9RsBEG1A7eKeHmOAE5sog0yO4EQ2fdMzaumz5UOy8MiC0n1v3qrg+aT0t7+CiDMdHV0JEEq8u/qvwTuBi6ti1wfzobZiDdmvvRGa4EWcg+oJwi0Cde2uzVR2VUqx3RkzqyoTtCaIrtkO5qTCxTYDADlXj4Yx9jt1yjniuz4QABCUZi3EdoMsmMXp9qT1pfRF/m3+E0WmDN2qUbeXHiJdHTjAsUQFWrFhBr/mFKhZTiY4so7eEzfD/dSErG41doJwNHyAVCKJEagdGBd5OvuizQ6It3ANPEJ6iIADYf5kHpgwd1ui/wX2EjiFBCQ6fVE2NsAPCgpooRG7NPBxC9JUNpYy89ZzP4sVgbSIcQPJWuzt2uNLvg20jxaO9Q0RSl3YeqBow45BCruz10Kmf1kKyOToCHfY7Y3Essp+aUuw2OIJ48= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfTpFRuHYL7nxWrrfaTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB5+Ki/zc2Qut0GtNYZVrXBiXt/xGFEd4b8idB4tm4Pab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFI3vbLNeap1wYZNHQRRlOKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/76acb89d2bc7cc06

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Targets

    • Target

      クラック.exe

    • Size

      17.8MB

    • MD5

      61bcb94052e57f07e8c662a80d8c29c1

    • SHA1

      db9d2e9e37eddedc1722727e8ce5a0a242a9ff10

    • SHA256

      3b0cfdd500288507ec287e0e2f33d7acb7a2bcad1537fcfb29a47a4fa7cc23a6

    • SHA512

      7f9f9c2c6cd5dd49baf6791808e5a31c9e4726d27f87aaad8e2df75ab2a0dbf20956d0bab8761a9e742d1fa85052f9f7f0ae8e6cf269a0761053786e547935a1

    • SSDEEP

      49152:U6m1Vv6+nTCnjhT5iD1hTIUGzVnDk7Q3xCDza91PU3i/hv/kklWHvv7vTRZOp6/u:Um

    Score
    10/10
    asyncratdcratnjratremcosstormkittyxloaderaugust crypter toolz grace stubdefaulthackedkosomk 555чучундраeidodefense_evasiondiscoveryevasionexecutioninfostealerloaderransomwareratstealertrojanupxvmprotect

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Xloader payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Scripting

1
T1064

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Safe Mode Boot

1
T1562.009

Scripting

1
T1064

Credential Access

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks