Extracted

• • Target

    Krampus V1.0.5.exe

  • Size

    7.4MB

  • MD5

    6cfc075819c99a2c6515729392b9ba02

  • SHA1

    c6224ff71c43b6ae461d9ad870da5002a4e8bd5e

  • SHA256

    a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

  • SHA512

    7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6

  • SSDEEP

    98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

  Score

  10^/10

  xwormpersistencerattrojanupxspywarestealer

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2