Jump to content
Tuts 4 You

fake crack sites


Xyl2k

Recommended Posts

So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/
Super, looks like there a lot of cracks over here! and the site is virus free, right?

9u2fgQ1.png

So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/

OFsCsqt.png

lol @ description on the page, didn't know reagan was from snd and born in russia :)
Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions

aouJxXr.png

The archive is password protected and contain only one file "setup_pass-123.exe"
If we try to download some other random files from the keygens.pro collection, sometime we have variations.
e.g: Any.video.converter.Ultimate.keygen-URET hxtps://keygens.pro/crack/733508/ who contain a 'readme.txt' but we still have our suspicious setup_pass-123.exe inside.
antiviruses aren't really happy about the file when sent to virustotal, but hey, it's kind of normal it's a crack afterall.
The file in question is identified massively as 'remcos' (avira, kaspersky, f-secure,..) remcos is a know trojan, and this time they have right.

I've sent the file to my capev2 (like cuckoo sandbox but with python3) who also identified it as remcos, and even exactly version 2.7.0 Pro.

qkojsbT.png

The process tree:

  • path-pass-123.exe 1204
    • powershell.exe 764 powershell -w 1 -e cwB0AGEAcgB0AC0A [REDACTED]
      • mc.exe 588
      • mc.exe 2816
      • trading_bot.exe 2776
  • services.exe 484 C:\Windows\system32\services.exe

  • lsass.exe 2992 C:\Windows\system32\lsass.exe

mc.exe do a NtOpenMutant with mutex name 'Remcos_Mutex_Inj'
fews deletefile()

DeletedFile: C:\Users\PC\AppData\Local\Temp\g23cbt11.tv1.ps1
DeletedFile: C:\Users\PC\AppData\Local\Temp\rgmxlij1.zlj.psm1
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5a4f0c9-7658-465a-89b7-50210e17552a
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aa1cabc1-b688-4c89-bf51-d9e59fc195d8
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33715418-423c-4ee6-9bfb-e19632c208c1
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9fccf31-e642-45c3-b729-86cbf5ec234c
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99c3bc19-136a-483f-a231-8276ab84ee13
DeletedFile: C:\Users\PC\AppData\Roaming\Microsoft\mc.exe
DeletedFile: C:\Users\PC\AppData\Local\Temp\webcam.png
DeletedFile: C:\Users\PC\AppData\Local\Temp\screenshot.jpg
DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\cookies.sqlite24628718
DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\formhistory.sqlite24628875

About the dropped files, it write a file 'logs.dat' into \AppData\Roaming\temp\, in my case:

[2020/10/15 05:31:33 Offline Keylogger Started]

[ Program Manager ]

[Following text has been copied to clipboard:]
h
[End of clipboard text]

{ User has been idle for 400 minutes }

And what's was the 'screenshot.png' he created and then deleted? this:
dQz4GG3.jpg

one of my capev2 vm, the malware have a bit oversized the screenshot tought.
The file sniff keystrokes, harvest/steal private information from browsers and messenger clients, take screenshots from pc and webcam if connected, and installs itself for autorun at startup, yep that not really what we where looking for.

Alright... let's search for another site then..
We type "download crack" on google and we are now on keygenninja.com (former KeygenGuru) according to them.
site is in second result in google main page, the authors of the sites play on search engine rankings, .. and are extremely well positioned (they pay Google for that)

vgZ1CoN.png

Let's try to download something, idk, maybe 'Panopticum IcePattern v1.2 for Adobe Photoshop' hxtps://keygenninja.com/serial/panopticum_icepattern_v1_2_for_adobe_photoshop.html

EOm1ik5.png

We click the 'Download Keygen' button and get redirected on another site hxtps://cracknet.net/d/a95b2bff8a272ss9p.html
Now we are on a page with 2 big 'download' buttons, the text indicate also that the archive password is 12345
When you click on the button the download is launched, but from another external site: hxtps://get.ziplink.xyz/

gO2cb9B.png

I've found also another site: serialms.com, this is just another 'showcase site'.
All the cracks point to the same address (cracknet.net). they also have the same db as keygenninja.com

YZ0x3OY.png

Well, we have 3 files in the archive, one executable, and unless keygens.pro, this time we have the info files (nfo and diz file), apparently a release from team inferno (a cracking group who disbanded in 2006)
The nfo says it was released in may 2020 and the files timestamp seem from 2020, is inferno back ? :)
Dq971a6.png

When extracting the executable from the archive, we got a suspicious 'rar sfx archive' icon, if we look for executable properties, windows will confirm it's a self-extracting archive.
Meaning we can also rename the file to .rar and open it with winrar to see what's going on.
btw that archive inside the archive [insert xzibit yo dawg meme here] is also password protected with '12345'

gCL8e2v.png

According to virustotal only 10 on 70 engines detect it as hostile.
Suspicious again huh? let's send this file to capev2 too.
When sending a password protected sfx archive, you need to fill the option field with: 'arguments=-p 12345' in capev2, so it will be able to run it with the password.
And.. here is the process tree.. yep a big one too, the sfx archive contain a sfx archive, who contain severals other sfx archives [insert again xzibit meme here] and execute everything, resulting a lot of new processes.

  • Panopticum.IcePatter.exe 172 -p12345
    •  cmd.exe 2696 C:\Windows\system32\cmd.exe /c ""C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen.bat" "
      • intro.exe 816 intro.exe 1O5ZF
      • keygen-step-1.exe 3916 keygen-step-1.exe
      • keygen-pr.exe 3892 keygen-pr.exe -p83fsase3Ge
        • key.exe 1280
      • keygen-step-3.exe 3524 keygen-step-3.exe

        • cmd.exe 3804 cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"

          • PING.EXE 2572 ping 1.1.1.1 -n 1 -w 3000

      • keygen-step-4.exe 2624 keygen-step-4.exe

        • file.exe 3896

        • 002.exe 4548

        • Setup.exe 4152

          • slic.exe 4148 1

            • 984D0A19445AA8C5.exe 1552 0011 installp1

            • 984D0A19445AA8C5.exe 1144 200 installp1

              • cmd.exe 3280 cmd.exe /c taskkill /f /im chrome.exe

            • msiexec.exe 2880 msiexec.exe /i "C:\Users\PC\AppData\Local\Temp\gdiview.msi"

      • services.exe 472 C:\Windows\system32\services.exe

        • svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch

          • dllhost.exe 3832 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

          • dllhost.exe 2064 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

        • svchost.exe 3224 C:\Windows\system32\svchost.exe -k netsvcs

        • VSSVC.exe 3648 C:\Windows\system32\vssvc.exe

GqWcmLT.png

One file lead to many files :)
So what's going on? well, a lot of things.

This isn't remcos RAT like in keygens.pro, i don't know what exactly is all of this, my capev2 seem to detect it as Azorult (a know password stealer)
I thinks it's a false positive for 'azorult' malware familly but this one is also harvesting credentials from browsers, bitcoin wallets clients, FTP clients, email clients...

BTRSetp.exe seem packed with 'Eshelon revolution protector', it have also a mention to lenin.

// Module 

[module: SuppressIldasm]
[module: Glory_to_the_Great_Lenin_and_the_October_Revolution!!!("Eshelon Revolution Protector ")]
[module: EF58C16E8C("Discord Link :  v1.0.0-custom")]

The batch file keygen.bat unpack keygen-step-4.exe with password 83fsase3Ge
This archive contain key.exe and JOzWR.dat, when key.exe is executed it will look in the same folder for the file JOzWR.dat, who is later decoded by key.exe and loaded in memory a 'lzma decoder' screenshot here in memory

 

8cw972U.png

dumped JOzWR.dat is detected by 13 engines.

ASCII "-txt  -scanlocal -file:potato.dat"
potato.dat is a file that will be later created in %TEMP% and who contain harvested serial numbers from your applications, including windows license key.
exemple of what contain the file in my capev2:

Computer: PC-PC -  Main scan

Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
Microsoft Office Professional Plus 2010 - Product ID - REDACTED-REDACTED-REDACTED-REDACTED
Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
Windows 7 Ultimate - Extra info - Full product name: Windows 7 Ultimate Service Pack 1
Product ID match to CD Key data
Product Part No.: REDACTED
Installed from 'Full Packaged Product' media.
Is OEM: No
Windows 7 Ultimate - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
Windows 7 Ultimate - Product ID - REDACTED-REDACTED-REDACTED-REDACTED
Windows 7 Ultimate - User - PC


Computer: PC-PC - Deep scan

The guy who want free serials get his serials harvested, isn't that a paradox?

In conclusion: never open or visit crack sites if you don't have the knowledge to avoid infections, use common sense as some will even try to trick you with fake nfo/fake releases.
Maybe buy your softwares (or crack them yourself) to avoid that, and don't trust crack sites at all, even if they was 'legitimate' like keygens.pro, they can go rogue anytime.

Edited by Xyl2k
readability
  • Like 8
  • Thanks 3
  • Haha 1
Link to comment

well i've also came across these files like setup_pass123.exe when i was going to rip some gfx from several groups like tPORt. (they weren't on tPORt's releases, but on other groups' releases)

i however accesed these sites through a VM (plus some vpn) so i won't have any risk of getting rogue'd on the real hardware. perhaps they put that file (setup_pass123.exe) only if the searched release isn't found, rather than saying "Deleted due to abuse" after entering that captcha.

plus the description from every release page is actually generated tho .

Link to comment

Well i haven't looked a lot on keygens.pro as remcos don't really interest me at all, but funny that "if crack not found then get a trojan"
i looked a bit more on cracknet.net, and when i was saying "I thinks it's a false positive for 'azorult' malware familly" yep. it appear to be Elysium Stealer/Zeromax Stealer/yahooylo.
some log from the vm, that was tried to be exfiltrated to the cnc:

UCF1UTc.png

related, datas from cnc or just "you got owned bro":
f1jCpRc.jpg VWN1fR6.jpg

jvHD6Bc.jpg XJDLvMd.jpg

some stolen logs from a pc, where you can see browser history and also running process with "keygen-step-5.exe" :)

google chrome default.txt
https://keygenninja.com/ds/indiafont+v2/ Indiafont v2 keygen,serial,crack,generator,unlock,key
https://keygenninja.com/serial/indiafont_v2.html Indiafont v2 serial key or number
https://cracknet.net/d/3c15acbca42738268.html? Get Indiafont v2 keygen here
https://keygencrackpatch.blogspot.com/2019/06/indiafont-v100-patch-174-mb.html APPLICATION CENTER - Full version, Latest Update N Direct Download Links - Crack, Patch, Keygen, Serial Keys, Patches, License keys for free
https://iplogger.org/1Hgx67 1Hgx67 (1×1)
https://www.zuketcreation.net/indiafont-v1-0-0-patch-174-mb IndiaFont v1.0.0 + Patch | 174 MB Application Full Version

information.txt:
[Processes]
---------- System [4]
------------------------------  Registry [96]
-  smss.exe [436]
-  csrss.exe [660]
-  wininit.exe [748]
---------- services.exe [892]
-  lsass.exe [916]
-  svchost.exe [400]
-  svchost.exe [600]
-  fontdrvhost.exe [608]
-  WUDFHost.exe [956]
-  svchost.exe [1064]
-  svchost.exe [1120]
-  WUDFHost.exe [1260]
-  svchost.exe [1380]
-  svchost.exe [1392]
-  svchost.exe [1408]
-  svchost.exe [1452]
-  svchost.exe [1568]
-  svchost.exe [1652]
-  svchost.exe [1676]
-  svchost.exe [1832]
-  igfxCUIService.exe [1876]
-  svchost.exe [1884]
-  svchost.exe [1932]
-  svchost.exe [1960]
-  svchost.exe [1808]
-  svchost.exe [2060]
-  svchost.exe [2108]
-  svchost.exe [2148]
-  svchost.exe [2156]
-  svchost.exe [2264]
-  svchost.exe [2324]
-  svchost.exe [2360]
-  svchost.exe [2456]
-  svchost.exe [2452]
-  svchost.exe [2500]
-  svchost.exe [2508]
-  svchost.exe [2564]
-  Memory Compression [2596]
-  svchost.exe [2688]
-  svchost.exe [2716]
-  svchost.exe [2888]
-  svchost.exe [2924]
-  svchost.exe [2984]
-  svchost.exe [2980]
-  svchost.exe [3136]
-  svchost.exe [3224]
-  spoolsv.exe [3312]
-  svchost.exe [3348]
-  svchost.exe [3528]
-  svchost.exe [3664]
-  AdminService.exe [3908]
-  IntelCpHDCPSvc.exe [3920]
-  svchost.exe [3936]
-  svchost.exe [3944]
-  svchost.exe [3960]
-  DAX3API.exe [3968]
-  svchost.exe [3984]
-  escsvc64.exe [3996]
-  esif_uf.exe [4020]
-  FMService64.exe [4076]
-  svchost.exe [4084]
-  svchost.exe [3280]
-  svchost.exe [3392]
-  RtkAudUService64.exe [4104]
-  svchost.exe [4136]
-  TeamViewer_Service.exe [4204]
-  svchost.exe [4216]
-  svchost.exe [4240]
-  svchost.exe [4256]
-  svchost.exe [4292]
-  svchost.exe [4412]
-  IntelCpHeciSvc.exe [4676]
-  svchost.exe [5184]
-  svchost.exe [5232]
-  svchost.exe [5940]
-  svchost.exe [6428]
-  WmiPrvSE.exe [6960]
-  PresentationFontCache.exe [6044]
-  Lenovo.Modern.ImController.exe [6608]
-  svchost.exe [2176]
-  svchost.exe [6844]
-  svchost.exe [7176]
-  SearchIndexer.exe [4284]
-  svchost.exe [8552]
-  SecurityHealthService.exe [1704]
-  svchost.exe [9156]
-  svchost.exe [9804]
-  jhi_service.exe [10304]
-  GoogleCrashHandler.exe [10340]
-  LMS.exe [10352]
-  GoogleCrashHandler64.exe [10372]
-  SgrmBroker.exe [11036]
-  svchost.exe [11124]
-  svchost.exe [10752]
-  svchost.exe [10848]
-  svchost.exe [4756]
-  svchost.exe [2088]
-  svchost.exe [4528]
-  svchost.exe [12100]
-  svchost.exe [8128]
-  svchost.exe [4276]
-  csrss.exe [10004]
-  svchost.exe [10084]
-  csrss.exe [4188]
-  svchost.exe [14536]
-  csrss.exe [3560]
-  MsMpEng.exe [9024]
-  AdobeUpdateService.exe [8088]
-  svchost.exe [10364]
-  AGSService.exe [4248]
-  AGMService.exe [5552]
-  unsecapp.exe [7572]
-  svchost.exe [16776]
-  servicehost.exe [16228]
-  AnyDesk.exe [2192]
-  svchost.exe [13356]
-  svchost.exe [3432]
-  dasHost.exe [10468]
-  svchost.exe [16176]
-  csrss.exe [12040]
-  usocoreworker.exe [3256]
-  MusNotification.exe [16784]
-  MusNotification.exe [17076]
-  UsoClient.exe [19348]
-  UsoClient.exe [3572]
-  taskhostw.exe [10116]
-  armsvc.exe [2204]
-  UsoClient.exe [1544]
-  dllhost.exe [17804]
-  UsoClient.exe [2392]
-  UsoClient.exe [15712]
-  UsoClient.exe [20924]
-  UsoClient.exe [756]
-  UsoClient.exe [19624]
-  UsoClient.exe [2852]
-  UsoClient.exe [20052]
-  svchost.exe [15972]
-  UsoClient.exe [20316]
-  UsoClient.exe [10528]
-  UsoClient.exe [5284]
-  UsoClient.exe [9532]
-  UsoClient.exe [5716]
-  UsoClient.exe [2844]
-  UsoClient.exe [5908]
-  UsoClient.exe [13548]
-  UsoClient.exe [408]
-  csrss.exe [2900]
-  winlogon.exe [2828]
---------- dwm.exe [16548]
-  fontdrvhost.exe [8828]
-  DAX3API.exe [10020]
---------- conhost.exe [13580]
-  dptf_helper.exe [15840]
-  uihost.exe [17652]
-  unsecapp.exe [17100]
-  ctfmon.exe [20632]
-  sihost.exe [16724]
-  svchost.exe [21104]
-  svchost.exe [1072]
-  taskhostw.exe [6080]
-  explorer.exe [20552]
-  svchost.exe [14568]
-  StartMenuExperienceHost.exe [1560]
-  RuntimeBroker.exe [10268]
-  dllhost.exe [13680]
-  RuntimeBroker.exe [5056]
-  SettingSyncHost.exe [1248]
-  SearchUI.exe [6904]
-  SecurityHealthSystray.exe [6872]
-  RtkAudUService64.exe [12328]
-  E_YATIUPE.EXE [18708]
-  Skype.exe [8044]
-  AnyDesk.exe [14352]
-  Creative Cloud.exe [1436]
-  CCXProcess.exe [17116]
---------- node.exe [14396]
------------------------------  conhost.exe [6652]
-  Skype.exe [19276]
-  Skype.exe [2968]
-  Skype.exe [19672]
-  Skype.exe [9980]
-  Adobe CEF Helper.exe [16216]
-  svchost.exe [8896]
-  HostAppServiceUpdater.exe [19324]
-  Adobe CEF Helper.exe [21376]
-  Adobe CEF Helper.exe [19716]
-  Creative Cloud Helper.exe [10876]
-  CoreSync.exe [16436]
-  RemindersServer.exe [13996]
-  YourPhone.exe [9456]
-  AdobeNotificationClient.exe [14372]
-  RuntimeBroker.exe [4236]
-  RuntimeBroker.exe [15880]
-  UsoClient.exe [16168]
-  ApplicationFrameHost.exe [9368]
-  SystemSettings.exe [12956]
-  UserOOBEBroker.exe [18064]
-  commsapps.exe [19960]
-  RuntimeBroker.exe [12668]
-  HxTsr.exe [4504]
-  Video.UI.exe [19924]
-  RuntimeBroker.exe [21156]
-  RuntimeBroker.exe [16580]
-  ShellExperienceHost.exe [10000]
-  RuntimeBroker.exe [7012]
-  CCLibrary.exe [5744]
---------- node.exe [12980]
------------------------------  conhost.exe [19340]
-  Microsoft.Photos.exe [7784]
-  RuntimeBroker.exe [20952]
-  svchost.exe [8772]
-  WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe [21036]
-  UsoClient.exe [4836]
-  SecurityHealthHost.exe [13896]
-  MpCmdRun.exe [5600]
-  WmiPrvSE.exe [14636]
-  keygen-step-5.exe [10256]
-  WmiPrvSE.exe [15036]
-  smartscreen.exe [7868]
-  svchost.exe [17932]
-  FB2B.tmp.exe [17260]
-  svchost.exe [15108]
-  svchost.exe [19700]
-  FF1C.tmp.exe [8244]
-  3C0.exe [17576]
-  convimage.exe [14528]
-  NisSrv.exe [16212]
-  3BD9.exe [20636]
-  8AB5.tmp.exe [17776]
-  explorer.exe [7320]
-  explorer.exe [8356]
-  explorer.exe [16624]
-  explorer.exe [8688]
-  powershell.exe [19404]
-  explorer.exe [8612]
-  explorer.exe [14944]
-  explorer.exe [14260]
-  conhost.exe [15188]
-  explorer.exe [13328]
-  svchost.exe [3400]
-  RegAsm.exe [20132]
-  explorer.exe [16236]
-  WerFault.exe [12020]
-  taskhostw.exe [14684]
-  backgroundTaskHost.exe [20296]
-  TrustedInstaller.exe [16464]
-  explorer.exe [13440]
-  TiWorker.exe [15312]
-  explorer.exe [12264]
-  explorer.exe [9032]
-  explorer.exe [18328]
-  explorer.exe [17444]
-  explorer.exe [9072]
-  explorer.exe [19640]
-  FileCoAuth.exe [884]
-  explorer.exe [1580]
-  explorer.exe [7160]
-  explorer.exe [11820]
-  explorer.exe [15652]
-  explorer.exe [7324]
-  explorer.exe [11296]

And here is a chaos mosaic i did with vt-graph, landscape map with cracknet and friends:
https://www.virustotal.com/graph/embed/g1eb67876dc2343c7bad3310f6dcd7db61d2ee76f7842479fbd19afea3dbaee8f

  • Thanks 2
Link to comment
  • 4 weeks later...

Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms)
4jymqo1.png

Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware.
Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer)

Embedded mini-admin panel to administrate the fake sites, allow them to disable links, blacklist keywords on site, redirect on affil, etc..
uTtOMqH.png jUSX0Df.png

Okay cool, you might want to see some numbers now?
The site with highest traffic is keygenninja with around 13k visits per day, and they infect/install roughly 10k per day.
4mffR99.png

As mentioned in previous post the end user get a bunch of crap (trojan.miner, password stealer, serial numbers stealer, PUPs..)
The exfiltrated passwords are sent to t4p.xyz, domain registered by alelolay[@]protonmail.com, who also own fews other domains (q1f.xyz, crypto-trad1ng.xyz , trading-solutions.xyz)
That all, for the moment!

  • Like 8
  • Thanks 2
Link to comment
  • 1 month later...

keygens.pro is back as expected.
Still distributing randomly 'setup_pass-123.exe' and some other craps like htxps://keygens.pro/crack/122490/
https://www.virustotal.com/gui/file/1c6d9872dd7e6cf5fe515fbdafd055885ba07c3f1f214e4a789662e6ed046439/detection
shity vb6 layer on that one 'Projekt1test\ApCrypterStub' appear to be communicating with dontfornicationjesus.no-ip.info, PoisonIvy RAT

Meanwhile, cracknet syndicat is still resilient.
Although they dropped infections to 6k daily because we're making their job more difficult.
Some of theirs malwares who connect to download more (not exhaustive list):

down.05779b0d24fb315d.xyz/index.exe 67C68B858942BEF785B1A5FC9CDDDB01
down.05779b0d24fb315d.xyz/index_no2.exe 802FE2BA6D91BDEADAA9DE19213EC133
www.sodown.xyz/index.exe 67C68B858942BEF785B1A5FC9CDDDB01
1105355415.rsc.cdn77.org/index.exe 67C68B858942BEF785B1A5FC9CDDDB01
1105355415.rsc.cdn77.org/index_no2.exe 802FE2BA6D91BDEADAA9DE19213EC133
1105355415.rsc.cdn77.org/bot_no.exe 34BD9B901914A3051989E95CE2A47BA3
1105355415.rsc.cdn77.org/bot.exe 06F4985B578AD995DBF6F07B0EEB6279
www.cleimmo.ma/rh/soft.exe 6FDB7328D15D2EE2AD9F6B072054A7BE
www.evograph.ro/js/sooft.exe BDBB8E4DE8FFAA96552DF10D184B3195
www.evograph.ro/js/fw1.exe 5BD6A17341164EB9BE5C4149E619AA6A
icaterp.com/db/jamkee.exe 35CC7255BA16D183A4A132650D67D2DF

These one have daily hash change:

dream.pics/setup_10.2_mix3.exe B9E36254F804771139987B8FAB28C2D2
dream.pics/setup_10.2_mix2.exe 898BE5FDC5F6CBC87BCAA4648F241742
dream.pics/setup_10.2_mix1.exe 3FECE26FB5465927C205B0D9A2B94872
dream.pics/setup_10.2_mix.exe DF5C0B910F5E53C92894B5C33A14B409
dream.pics/setup_10.2_mix.exe 1C882DC851AD5E56FD1F5A678A966767
dream.pics/setup_10.2_mix.exe A834C2FB14754929ED71A2030E7BEDD6
dream.pics/setup_10.2_mix.exe 089461312BC99FA6220BBEE93FDE4716
dream.pics/setup_10.2_mix.exe 8A09EC6492F6568E0DF78F35389D330A
dream.pics/setup_10.2_mix.exe 5FC34A006FA51232DBE699FE709F05B6
dream.pics/setup_10.2_mix.exe 4F6B2CCD06FBE9F307C6182C258E5CFD
dream.pics/setup_10.2_mix.exe 310F175EF3484C2AF64EC1582BBB6E8A
dream.pics/setup_10.2_mix.exe 53B6B6893176F9DD0BEE1B21E9B4E452

 

  • Thanks 1
Link to comment
  • 3 weeks later...
Roentgen

Me personally never had any issue with keygens.pro (well, at least I checked some of my old releases and they are not altered). The whole situation is quite sad, because end-users blame crackers for making/spreading viruses but the crackers have nothing to do with the malware

Link to comment
  • 2 weeks later...
  • 3 weeks later...

I tried to look at the new shenanigan of keygens.pro but that thing just wont run on my systems.
SetupPass-123.exe -  468f3af5f80792d566b0601ed58e429fca80adda
x64 file, vs2015 runtime on import, and also "vcruntime140_1.dll" for one function (?!)
the same file can be observed also in the wild at: hxxp://cuckoorental.com/backup.exe

some news also about cracknet: seem they now use their domain 'crackheap' as gateway to replace cracknet.
they also renewed their vidar license, as it's being used as payload in their latest malware, from the last run of today: https://app.any.run/tasks/0cafbb3a-5a58-4241-94c5-1e119668831d/ (the '
Vbox.exe' process)
 

Link to comment
  • 1 month later...
suspicious_link

created an account on this site to respond to this, it's MingLoa / CopperStealer

https://www.trendmicro.com/en_us/research/21/c/websites-hosting-cracks-spread-malware-adware.html

https://twitter.com/JAMESWT_MHT/status/1355432089378811904

https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft

Link to comment
  • 1 month later...
Matsilagi
Posted (edited)

So, i was desperate for a Keygen and ended up falling for one of those sites (CracksGuru), ran it, and it did part of it's payload, however, i refused one of it's things to run, but the other went through.

After seeing the CPU consumption skyrocket and a weird iplogger page appear, i panicked and downloaded MBAM and scanned, it found a few threats (An autoexec entry, a Registry Key and a exe), and removed those, then, o scanned with Spybot Search and Destroy, and it found nothing.

Besides changing passwords and all that safety rodeo, should i go with formatting or can I sleep safe knowing that the virus had been eliminated?

 

Forgot to say but, after the scans, i did not notice anything weird, and nothing new seemed to be installed. Still gotta check the browser extensions, and none of the MSI payloads ran when I first executed the fake Keygen before the scan (i had 2 MSI installers but they were on background, and i killed them). Any other places to look at after the virus are welcome for me, since I'm not new to computers, just happened to be unfortunate.

Edited by Matsilagi
Link to comment

check if you don't have anything 'weird' or at least that you don't recognise who launch at startup with windows.
 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...