General
-
Target
NcCrack-Loader.zip
-
Size
12.8MB
-
Sample
240622-tgg39axgml
-
MD5
18e398f15f5f2adbc5c0d8481f8a5100
-
SHA1
8f092c32b221ff1256e079cbc5ff606cffc0ff09
-
SHA256
380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1
-
SHA512
c1825c7de4cba4e01a0d5d7a1c9b851f3d5467dc90623d26f9287467327c15959158ffb3ab776a4c24a5084b4b25e509978e2d88e9b1b7499fb25d8580fd0058
-
SSDEEP
393216:PQdfQ2QnNgnxIvrbNOGcPHaNH1C7z7mI26Bkjf+OugZFdw4V16gvp:POfQ/Ngx6oGt1C7fw6BPg5T1FR
Static task
static1
Behavioral task
behavioral1
Sample
Driver.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
NcCrack Loader.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
Driver.dll
-
Size
685KB
-
MD5
081d9558bbb7adce142da153b2d5577a
-
SHA1
7d0ad03fbda1c24f883116b940717e596073ae96
-
SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
-
SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
SSDEEP
12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score1/10 -
-
-
Target
NcCrack Loader.exe
-
Size
54.0MB
-
MD5
7da9f4a912992fb26434573d65a1a0fc
-
SHA1
39a8bef04bc19ed39567039dd054174f5a6bfd1b
-
SHA256
060de3b4cf3056f24de882b4408020cee0510cb1ff0e5007c621bc98e5b4bdf3
-
SHA512
503d03b6b6654bcc1fd5a8dd6e0660bec06ac416509a6d5583cfd42168eae6adf2360f87a7b325140d4bcf430c799be1efce41c9763b992f9ac79f0a028bc445
-
SSDEEP
196608:Is6PAGLjQoTUlr/t/COz17LUU27lSalE8neeyh0f7Z+o3nPKAcfM2e1:IdPAGHXmztE0D8neewqZ+jS
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1