General

  • Target

    XWorm V5.2.exe

  • Size

    9.6MB

  • Sample

    231121-3p11rshc24

  • MD5

    1320b870d468db82ab7530c9f3b9a2de

  • SHA1

    1f3789d89649461d5ed29dba8ffbf3ced3e907ee

  • SHA256

    7b91bcb0374d99e65d5d741be81d356575cfcd0832c32f35b641723258ac2a28

  • SHA512

    1658b98440ba25b17fee7ce610bf0d52b523d02a5f91ce77779a3e535ebf0b79d443145a46487f28fc8ffca2b43e229fabc42f9485e2651e612d71947841a285

  • SSDEEP

    196608:tROdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:tRK2B1CkcDUDLHK18as0mcvow+Ax

Score
10/10

Malware Config

Targets

    • Target

      XWorm V5.2.exe

    • Size

      9.6MB

    • MD5

      1320b870d468db82ab7530c9f3b9a2de

    • SHA1

      1f3789d89649461d5ed29dba8ffbf3ced3e907ee

    • SHA256

      7b91bcb0374d99e65d5d741be81d356575cfcd0832c32f35b641723258ac2a28

    • SHA512

      1658b98440ba25b17fee7ce610bf0d52b523d02a5f91ce77779a3e535ebf0b79d443145a46487f28fc8ffca2b43e229fabc42f9485e2651e612d71947841a285

    • SSDEEP

      196608:tROdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:tRK2B1CkcDUDLHK18as0mcvow+Ax

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks