Overview

overview

10

Static

static

3

Krampus V1.0.5.exe

windows7-x64

10

Krampus V1.0.5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Krampus V1.0.5.exe

  • Size

    7.4MB

  • Sample

    240420-ta4nnscf4t

  • MD5

    6cfc075819c99a2c6515729392b9ba02

  • SHA1

    c6224ff71c43b6ae461d9ad870da5002a4e8bd5e

  • SHA256

    a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

  • SHA512

    7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6

  • SSDEEP

    98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

Score
10/10
xwormpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

yet-musicians.gl.at.ply.gg:27619

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    discord.exe

Targets

    • Target

      Krampus V1.0.5.exe

    • Size

      7.4MB

    • MD5

      6cfc075819c99a2c6515729392b9ba02

    • SHA1

      c6224ff71c43b6ae461d9ad870da5002a4e8bd5e

    • SHA256

      a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

    • SHA512

      7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6

    • SSDEEP

      98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

    Score
    10/10
    xwormpersistencerattrojanupxspywarestealer

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks