Overview

overview

10

Static

static

3

Krampus V1.0.5.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Krampus V1.0.5.exe

  • Size

    7.4MB

  • Sample

    240420-p51haahb77

  • MD5

    6cfc075819c99a2c6515729392b9ba02

  • SHA1

    c6224ff71c43b6ae461d9ad870da5002a4e8bd5e

  • SHA256

    a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

  • SHA512

    7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6

  • SSDEEP

    98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

Score
10/10
xwormevasionpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

yet-musicians.gl.at.ply.gg:27619

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    discord.exe

Targets

    • Target

      Krampus V1.0.5.exe

    • Size

      7.4MB

    • MD5

      6cfc075819c99a2c6515729392b9ba02

    • SHA1

      c6224ff71c43b6ae461d9ad870da5002a4e8bd5e

    • SHA256

      a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

    • SHA512

      7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6

    • SSDEEP

      98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

    Score
    10/10
    xwormevasionpersistenceratspywarestealertrojanupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Process Discovery

1
T1057

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks