How Cracks and Installers Bring Malware to Your Device

Date: 01/13/2025

Severity: High

Summary

Attackers exploit platforms like YouTube and social media to share links to fake installers, leveraging user trust to drive traffic to malicious sites. They often use trusted file hosting services like Mediafire and Mega.nz to hide the origin of malware and evade detection. Many downloads are password-protected and encoded, complicating analysis and enabling the malware to bypass early detection. Once installed, the malware steals sensitive browser data, highlighting the dangers of unknowingly downloading fraudulent software.

Indicators of Compromise (IOC) List

Domains\Urls :

simple-updatereport3.com

http://194.116.215.195/File.exe

http://185.215.113.202/tema/rana.exe

http://147.45.44.104/revada/66f45ebb9b495_crypted_20240925215808.exe

http://176.113.115.33/thebig/noode.exe

http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe

http://147.45.44.104/yuop/66f3de8e8f1c5_lyla334.exe

http://147.45.44.104/prog/66f42472a1351_vfdsgfsda.exe

https://bitbucket.org/kcatelin/jameson/downloads/easyfirewall.exe

http://176.111.174.109/kurwa

http://185.215.113.37/0d60be0de163924d/sqlite3.dll

http://147.45.44.104/prog/66f4248154c67_sgdfgs.exe

http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe

http://45.155.249.117/search/?q=67e28dd86509fa2e4758fe197c27d78406

Hash :

F0745f349387f91cd3e586f5806362ba4047c452

469ed7d853d590e90f05bdf77af114b84c88de2c

980d42c5f646dfbaa7d6ec8d764f35176f1d0c1b

559179b4e2508b0d813fe8ab95b337b8ca7010c1

ea2dd0f24f380288f7ddec30f6bb56e139a7de4d

f0745f349387f91cd3e586f5806362ba4047c452

b771dd2692706996956a2def154755d41866ec6e

93f70a0a1c850bd12e814d113720dd0732daf286

27b45865e79e48634533d3971ddf2a0164c4f3bb

7d713406a470e2d34ec2b44a353fc6f0a700ebf3

469ed7d853d590e90f05bdf77af114b84c88de2c

2bff6fd096b95b1591259d223f7a0ced2bb1c79f

92d1bf1f367b38d4e858fff9ba49ba0af9c6331e

b0c69327cf2fa32f59e6660b1d2940cc1ea8ccdd

a33b2fc8560ae87aa120fc3a9829f5b28034e70b

1af9c47cebcd26a7bfbff7b40b02a6da7391fe12

b14aadd4a664faf9111f8e4888121d802c339d04

2af2ee421ae26a98f9775bfe46821ffb47b406d3

54707cf003933f529c71c70deefba54e401093e5

f79925dbb1b132647265ee0033f68918b9f23b7f

2100e96043b56b97601f55d51d9c66ea6ba859d1

ea2dd0f24f380288f7ddec30f6bb56e139a7de4d

469ed7d853d590e90f05bdf77af114b84c88de2c

456bafcf7442595a1b4cd94112d61eb987dc5968

4d2c9d9b09226524868760263c873edc664456a9

980d42c5f646dfbaa7d6ec8d764f35176f1d0c1b

ea2dd0f24f380288f7ddec30f6bb56e139a7de4d

836f23d7f210c7ed929938cd6b9210

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\Urls :

userdomainname like "http://147.45.44.104/yuop/66f3de8e8f1c5_lyla334.exe" or url like "http://147.45.44.104/yuop/66f3de8e8f1c5_lyla334.exe" or userdomainname like "http://147.45.44.104/prog/66f4248154c67_sgdfgs.exe" or url like "http://147.45.44.104/prog/66f4248154c67_sgdfgs.exe" or userdomainname like "http://176.111.174.109/kurwa" or url like "http://176.111.174.109/kurwa" or userdomainname like "http://147.45.44.104/revada/66f45ebb9b495_crypted_20240925215808.exe" or url like "http://147.45.44.104/revada/66f45ebb9b495_crypted_20240925215808.exe" or userdomainname like "http://185.215.113.37/0d60be0de163924d/sqlite3.dll" or url like "http://185.215.113.37/0d60be0de163924d/sqlite3.dll" or userdomainname like "http://176.113.115.33/thebig/noode.exe" or url like "http://176.113.115.33/thebig/noode.exe" or userdomainname like "http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe" or url like "http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe" or userdomainname like "simple-updatereport3.com" or url like "simple-updatereport3.com" or userdomainname like "http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe" or url like "http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe" or userdomainname like "http://194.116.215.195/File.exe" or url like "http://194.116.215.195/File.exe" or userdomainname like "http://185.215.113.202/tema/rana.exe" or url like "http://185.215.113.202/tema/rana.exe" or userdomainname like "http://147.45.44.104/prog/66f42472a1351_vfdsgfsda.exe" or url like "http://147.45.44.104/prog/66f42472a1351_vfdsgfsda.exe" or userdomainname like "https://bitbucket.org/kcatelin/jameson/downloads/easyfirewall.exe" or url like "https://bitbucket.org/kcatelin/jameson/downloads/easyfirewall.exe" or userdomainname like "http://45.155.249.117/search/?q=67e28dd86509fa2e4758fe197c27d78406" or url like "http://45.155.249.117/search/?q=67e28dd86509fa2e4758fe197c27d78406"

Hash :

sha1hash IN ("b0c69327cf2fa32f59e6660b1d2940cc1ea8ccdd","a33b2fc8560ae87aa120fc3a9829f5b28034e70b","b771dd2692706996956a2def154755d41866ec6e","27b45865e79e48634533d3971ddf2a0164c4f3bb","92d1bf1f367b38d4e858fff9ba49ba0af9c6331e","456bafcf7442595a1b4cd94112d61eb987dc5968","f0745f349387f91cd3e586f5806362ba4047c452","469ed7d853d590e90f05bdf77af114b84c88de2c","f79925dbb1b132647265ee0033f68918b9f23b7f","2100e96043b56b97601f55d51d9c66ea6ba859d1","93f70a0a1c850bd12e814d113720dd0732daf286","559179b4e2508b0d813fe8ab95b337b8ca7010c1","4d2c9d9b09226524868760263c873edc664456a9","ea2dd0f24f380288f7ddec30f6bb56e139a7de4d","980d42c5f646dfbaa7d6ec8d764f35176f1d0c1b","7d713406a470e2d34ec2b44a353fc6f0a700ebf3","f0745f349387f91cd3e586f5806362ba4047c452","469ed7d853d590e90f05bdf77af114b84c88de2c","2bff6fd096b95b1591259d223f7a0ced2bb1c79f","b14aadd4a664faf9111f8e4888121d802c339d04","2af2ee421ae26a98f9775bfe46821ffb47b406d3","54707cf003933f529c71c70deefba54e401093e5","469ed7d853d590e90f05bdf77af114b84c88de2c","1af9c47cebcd26a7bfbff7b40b02a6da7391fe12")
md5hash IN ("836f23d7f210c7ed929938cd6b9210")

Reference:

https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html

How Cracks and Installers Bring Malware to Your Device

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

How Cracks and Installers Bring Malware to Your Device

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments