General
-
Target
StandLaunchpad.exe
-
Size
134KB
-
Sample
240408-tzcw9adg88
-
MD5
313697746f04c39606c3c145f7585973
-
SHA1
cdf4242e9770e2df7194909c0f6682b7444d65a5
-
SHA256
62471479442943fbfae666403abfd0ccd02ed6d5be6bca01544cc887ca527c8d
-
SHA512
e8c7031fb50c04adffde20951c1dc5024651c03200ee119c9979538f34003123969fc2fbb7a31a05fcb94985cf612bc1bb6f33293e7399382c179c3566672b34
-
SSDEEP
3072:c/+WPWhShsl6gRnP5D4LKLh1T5g4+G0jhL:hnhsghhMLOh1TUjh
Malware Config
Extracted
xworm
127.0.0.1:22671
147.185.221.19:22671
-
Install_directory
%Temp%
-
install_file
Stand.exe
Targets
-
-
Target
StandLaunchpad.exe
-
Size
134KB
-
MD5
313697746f04c39606c3c145f7585973
-
SHA1
cdf4242e9770e2df7194909c0f6682b7444d65a5
-
SHA256
62471479442943fbfae666403abfd0ccd02ed6d5be6bca01544cc887ca527c8d
-
SHA512
e8c7031fb50c04adffde20951c1dc5024651c03200ee119c9979538f34003123969fc2fbb7a31a05fcb94985cf612bc1bb6f33293e7399382c179c3566672b34
-
SSDEEP
3072:c/+WPWhShsl6gRnP5D4LKLh1T5g4+G0jhL:hnhsghhMLOh1TUjh
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Detect Xworm Payload
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Stops running service(s)
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1BITS Jobs
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5