General
-
Target
a3063deffb695211eacaad97e9c38936.bin
-
Size
1.9MB
-
Sample
240701-dce54axdpk
-
MD5
5bb75549c77a58704fcaec850be94ef3
-
SHA1
456d3a6d56fdb7a414a03622362907fbbe69de09
-
SHA256
c73f4cc8740229642df3588a0f924a42726b77a03ef24ba3d6461cccafbd9976
-
SHA512
490c6fee47ddedbd8d0251cedc103002f1fd3cfaf82365a95788dac3c64be540fe39cb61d9e0c37c2b01eafc879d210af2916e2da8743e6770e366535e0ab142
-
SSDEEP
49152:0tg6HOiBN0V1oo3WnUrnchEvmpB7p+j4z2sNdO46+69PrWrroRvaL:iHOiE/oPUj7+o4zZQ5XWrMxaL
Static task
static1
Behavioral task
behavioral1
Sample
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
Resource
win7-20231129-en
Malware Config
Extracted
xworm
football-emily.gl.at.ply.gg:39625
-
Install_directory
%AppData%
-
install_file
Registry.exe
Targets
-
-
Target
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
-
Size
2.3MB
-
MD5
a3063deffb695211eacaad97e9c38936
-
SHA1
22c0dcbff864ac7ab665dcaa40fa0e2f5a609d6b
-
SHA256
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6
-
SHA512
c3365f69bcaf92b73449a58596ac9e37bc2a5eb11c048d336ff296439d9ec55f53f9f23a741305f565d64d449fc3ba508b03657ae73c3ed4108dd38aa8f10ed1
-
SSDEEP
49152:3LeY9/gdSz5eLeorkMy9UVfSpk2+GmC/KrluvCd:9sLeorNg8fcl+Gm8Na
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1