General
-
Target
Krampus V1.0.5.exe
-
Size
7.4MB
-
Sample
240420-pgbh9ahb8v
-
MD5
9093196e3af056e67c1e391d177bf344
-
SHA1
7a4707c8f4bb6a2b7b189ccfe0b7837c579d105a
-
SHA256
9930d9ce76282ccf0b4940c6cbe8855ebf56f1af8edda8b6a630a4fb2f71860c
-
SHA512
f40489e694427711415a92d0ebdc0a2760f7f5d5398069b8006cdee5757bcfc3f106ed4b533c7e586a3571c5f0efba96296a9ea2ffec3ba43dce3a5e1b6922f8
-
SSDEEP
98304:oSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H0Sy4:JMt+dnIdHWxdKHoYOeXRihlWu8YgoPS
Static task
static1
Malware Config
Extracted
xworm
navigation-psychological.gl.at.ply.gg:32187
-
Install_directory
%Userprofile%
-
install_file
discord.exe
Targets
-
-
Target
Krampus V1.0.5.exe
-
Size
7.4MB
-
MD5
9093196e3af056e67c1e391d177bf344
-
SHA1
7a4707c8f4bb6a2b7b189ccfe0b7837c579d105a
-
SHA256
9930d9ce76282ccf0b4940c6cbe8855ebf56f1af8edda8b6a630a4fb2f71860c
-
SHA512
f40489e694427711415a92d0ebdc0a2760f7f5d5398069b8006cdee5757bcfc3f106ed4b533c7e586a3571c5f0efba96296a9ea2ffec3ba43dce3a5e1b6922f8
-
SSDEEP
98304:oSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H0Sy4:JMt+dnIdHWxdKHoYOeXRihlWu8YgoPS
-
Detect Xworm Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1