General
-
Target
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
-
Size
2.3MB
-
Sample
240630-bpqq9avdpq
-
MD5
a3063deffb695211eacaad97e9c38936
-
SHA1
22c0dcbff864ac7ab665dcaa40fa0e2f5a609d6b
-
SHA256
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6
-
SHA512
c3365f69bcaf92b73449a58596ac9e37bc2a5eb11c048d336ff296439d9ec55f53f9f23a741305f565d64d449fc3ba508b03657ae73c3ed4108dd38aa8f10ed1
-
SSDEEP
49152:3LeY9/gdSz5eLeorkMy9UVfSpk2+GmC/KrluvCd:9sLeorNg8fcl+Gm8Na
Static task
static1
Behavioral task
behavioral1
Sample
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
football-emily.gl.at.ply.gg:39625
-
Install_directory
%AppData%
-
install_file
Registry.exe
Targets
-
-
Target
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
-
Size
2.3MB
-
MD5
a3063deffb695211eacaad97e9c38936
-
SHA1
22c0dcbff864ac7ab665dcaa40fa0e2f5a609d6b
-
SHA256
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6
-
SHA512
c3365f69bcaf92b73449a58596ac9e37bc2a5eb11c048d336ff296439d9ec55f53f9f23a741305f565d64d449fc3ba508b03657ae73c3ed4108dd38aa8f10ed1
-
SSDEEP
49152:3LeY9/gdSz5eLeorkMy9UVfSpk2+GmC/KrluvCd:9sLeorNg8fcl+Gm8Na
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables containing URLs to raw contents of a Github gist
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1