General
-
Target
NcCrack-Loader.zip
-
Size
12.8MB
-
Sample
240622-bncg8stgrq
-
MD5
18e398f15f5f2adbc5c0d8481f8a5100
-
SHA1
8f092c32b221ff1256e079cbc5ff606cffc0ff09
-
SHA256
380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1
-
SHA512
c1825c7de4cba4e01a0d5d7a1c9b851f3d5467dc90623d26f9287467327c15959158ffb3ab776a4c24a5084b4b25e509978e2d88e9b1b7499fb25d8580fd0058
-
SSDEEP
393216:PQdfQ2QnNgnxIvrbNOGcPHaNH1C7z7mI26Bkjf+OugZFdw4V16gvp:POfQ/Ngx6oGt1C7fw6BPg5T1FR
Static task
static1
Behavioral task
behavioral1
Sample
Driver.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Driver.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NcCrack Loader.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
NcCrack Loader.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
config.ini
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
config.ini
Resource
win10v2004-20240611-en
Malware Config
Targets
-
-
Target
Driver.dll
-
Size
685KB
-
MD5
081d9558bbb7adce142da153b2d5577a
-
SHA1
7d0ad03fbda1c24f883116b940717e596073ae96
-
SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
-
SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
SSDEEP
12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score1/10 -
-
-
Target
NcCrack Loader.exe
-
Size
54.0MB
-
MD5
7da9f4a912992fb26434573d65a1a0fc
-
SHA1
39a8bef04bc19ed39567039dd054174f5a6bfd1b
-
SHA256
060de3b4cf3056f24de882b4408020cee0510cb1ff0e5007c621bc98e5b4bdf3
-
SHA512
503d03b6b6654bcc1fd5a8dd6e0660bec06ac416509a6d5583cfd42168eae6adf2360f87a7b325140d4bcf430c799be1efce41c9763b992f9ac79f0a028bc445
-
SSDEEP
196608:Is6PAGLjQoTUlr/t/COz17LUU27lSalE8neeyh0f7Z+o3nPKAcfM2e1:IdPAGHXmztE0D8neewqZ+jS
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
config.ini
-
Size
39B
-
MD5
24aae652215ebff6b6a4f03943f4eaf7
-
SHA1
d1375c86bd8455febaa50759a36bf6795c0beff9
-
SHA256
802cbdbb7c195dad3f763c38f21900a9006db3292fffc723b3cf75c10d239ea9
-
SHA512
11c48adf07c89d0ed66dcd3aaeb354ce354af78cd26ab3c0d36dad76a5359542ae0f5cc842510c82c3e3b974ef7bbd4c6293ce6a1d8d355174b81067e02ddba1
Score1/10 -