General

  • Target

    Cobra (2).rar

  • Size

    98.6MB

  • Sample

    240331-qnrpgscd41

  • MD5

    afd929cb167fc56cf900a64eadf2ad34

  • SHA1

    85f05be106ddcd97028b9eea0868cd0505867b3c

  • SHA256

    75c9353529159326f6d57a331386bb1e460d8806d57711fcff8d133214ce8ba1

  • SHA512

    77cf0689763ace65d57d0c80d7a9312b379b90b0884acfeb896d658749132b93f20e145bc774531d42a744c3e48c46857ee74ac571e7bd6266da5e4785b69fac

  • SSDEEP

    1572864:oo0E5moJQLH9E85LaMqWkZtNZCh+ZLtdjqquonYWCtEOg2c+9OplIDu:o2mLLdEMq7/NndXqquonYWCtEOg2rmQu

Malware Config

Extracted

Family

xworm

C2

147.78.103.53:2723

Attributes
  • Install_directory

    %AppData%

  • install_file

    CraxsRat.exe

  • telegram

    https://api.telegram.org/bot7165460947:AAH6f591Qm_-opaAI0oIFjzcZwmJpJlI7Ek/sendMessage?chat_id=5169736402

Targets

    • Target

      Cobra (2).rar

    • Size

      98.6MB

    • MD5

      afd929cb167fc56cf900a64eadf2ad34

    • SHA1

      85f05be106ddcd97028b9eea0868cd0505867b3c

    • SHA256

      75c9353529159326f6d57a331386bb1e460d8806d57711fcff8d133214ce8ba1

    • SHA512

      77cf0689763ace65d57d0c80d7a9312b379b90b0884acfeb896d658749132b93f20e145bc774531d42a744c3e48c46857ee74ac571e7bd6266da5e4785b69fac

    • SSDEEP

      1572864:oo0E5moJQLH9E85LaMqWkZtNZCh+ZLtdjqquonYWCtEOg2c+9OplIDu:o2mLLdEMq7/NndXqquonYWCtEOg2rmQu

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks