Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

NukeCrypte...or.exe

windows7-x64

7

NukeCrypte...or.exe

windows11-21h2-x64

7

NukeCrypte...I2.dll

windows10-ltsc 2021-x64

1

NukeCrypte...I2.dll

windows11-21h2-x64

1

NukeCrypte...or.exe

windows11-21h2-x64

10

NukeCrypte...or.exe

windows11-21h2-x64

10

NukeCrypte...li.dll

windows10-ltsc 2021-x64

10

NukeCrypte...li.dll

windows11-21h2-x64

10

NukeCrypter/dnlib.dll

windows7-x64

1

NukeCrypter/dnlib.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NukeCrypter.rar

  • Size

    15.0MB

  • Sample

    250308-xvj2js1vet

  • MD5

    930e2a1518c2a6606ab1c57918dc84f9

  • SHA1

    bd0b8e11c1c5a89ee29b33bd097489797967237f

  • SHA256

    aefbc83f1cf4facc11486398011bea48b4eae99ff13bebff0981ebc837cd1ecf

  • SHA512

    d5d4a510405eb670140002fd85c687d1c6522ea885f3437a14ce8acfc3130b11faa4c71764dc8db26f4439086a7ae1cc0d6aa2c6b5dfade9158d519fd50f89ad

  • SSDEEP

    393216:yQ519h1Mf8ZM76XeFKo6E4tFdhQ3qEgshtrWyK0:yQ5Pha8ZM1Qo6E4tFdhQyshtrlK0

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.137.201.27:2010

Mutex

NJSnJLx9hqfSdYjB

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    msedge.exe

aes.plain

Targets

    • Target

      NukeCrypter/FusionModule/reactor.lib

    • Size

      14.5MB

    • MD5

      43feb2f8ef1e6de1802d87c3fe5cb991

    • SHA1

      f04ad97fb124a5ff007189daf3e74c56aeb629ff

    • SHA256

      27809afc97fe28618236fc37b93dd933197af2697bde943537ad090ad6cd578d

    • SHA512

      cec997560044030fa3a1295b6b958a84a18e3ca606eff5f1fd7d42ceb36875c13f46e718ec39b1dda0d929beb9bd921379f4fdb953b93cdea4304e2082c997aa

    • SSDEEP

      196608:VT2F23nFoQ5RPoE72XoQZpChJwa/ThljpYvAksm8jb5HcT6Zu:AQ3nFJQE74kpThbpM8JB

    Score
    7/10
    discovery

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    behavioral1behavioral2

    • Target

      NukeCrypter/Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      1305259af462497bb6a9fa707c88bdd9

    • SHA1

      8a88f4e3b05950b708bd441ded25234c48245b54

    • SHA256

      0dc607d3c1537773a269ebb9031c40eb6d4d71392493e0c0958ce73eb747aede

    • SHA512

      4ac70ef873740e624f7a790a59f5f4fa002e76c87c9f43a68944c64d44be51a5284635d4e388d15590b8a9e4773a48987162922b89877eea7eae85643c84cc35

    • SSDEEP

      49152:RJE3dj2ZfrOQJarXvIwWQY6zlP46ATdeedHvYTKv1tZJCh+ajdVTSzvw9FG:odj2Z8

    Score
    1/10
    behavioral3behavioral4

    • Target

      NukeCrypter/NukeCryptor.exe

    • Size

      519KB

    • MD5

      5897585e89a0e475202fd43bebb8b5ec

    • SHA1

      d3b45d759ee686d142849560e7d9e55e604cd4f7

    • SHA256

      fa3d58def6d373cfadebc1fa095731594c0c281a4d4119278d88087597fbaded

    • SHA512

      eab6e541a3c427adbc2fef42f203be247e8617cb76a51e8705cf547941fd1590f383ad48bf8d9b21d3df2bf33bebe61e6d86ac010aa54bffb42edb237952ea63

    • SSDEEP

      12288:KX9eknz7sMClkSWOx08pHSsiI7nTdYDJgsIrXtG4an2aHzI+Nan11aQIYP:KXYOClkg7SsiuTkJgl84XmI+0n1UHY

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      NukeCrypter/SspiCli.dll

    • Size

      14.0MB

    • MD5

      7697bb66b64ca30f53344f8b2a4dbd2a

    • SHA1

      9fb9053ec18db85b9a55439b048fbbc694a1f9bb

    • SHA256

      49861d9f7c2743bd8e7895ce173356f11474b393d9d8ecabb79b0fecc625e790

    • SHA512

      7785d935729f342304ab87b4ea7d6050dfc76ff5e7a04123273769448a0de2e3d4c5df006136d47d6d3e476e8d23fdbb875484cd81ad29315faabe9ddea4fe79

    • SSDEEP

      196608:y8qw4TxltmlBWDolz/tGTeyMdfkjIxj4/zHd1vqGyvnkYIiHuqZf:WxDolz/tGTeyMMIwHLiGyvnkC

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral7behavioral8

    • Target

      NukeCrypter/dnlib.dll

    • Size

      1.1MB

    • MD5

      20e4287af743cd81d39079eac2b890fb

    • SHA1

      74547ae2277a769b60fa1b9f508791a7dd205137

    • SHA256

      1e47cd53cde93403b8ba9fea45f7da35a7dc97fa166a39b220eaeeb9cb4212f5

    • SHA512

      7932d8a8fd437d85e9e4fdb820327df1e0e065d287626b681cb1b4ccc10bebc35037fc21113c54430ed908d10e5785e5e3c34d590bba6701ae39e19490c2c499

    • SSDEEP

      24576:hR1sd/i6kuDagng+K5lGEQBi6m3zkwMKBZO0TBOi/7UURv7f+wA:G5HEQYbO8

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks