Overview

overview

8

Static

static

7

krampus.rar

windows10-1703-x64

3

krampus/9W...Oc.exe

windows10-1703-x64

1

krampus/bypass.exe

windows10-1703-x64

8

krampus/token.txt

windows10-1703-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    krampus.rar

  • Size

    12.6MB

  • Sample

    240426-r3125see9w

  • MD5

    91ca00a1ef292ac54dd6a88aec3c20a0

  • SHA1

    39b9adc83b78c77af5f14409f99a194920fa7205

  • SHA256

    402bcb097fe94f79072e2372d5e082dd0d91d6b8dc3f66435a7fc3f143adc33f

  • SHA512

    a531f5dce2039a9ca0ecad26d3b8d18c7b5e9feb22d9b5d21eaab23493320f9d5f30dc034335bd416706fb7b10ef27b3b51cbd20fc9ed70f0eee43254d009c8c

  • SSDEEP

    393216:ec8FNsBLVoNTJFQ+QoIYQSo4j4WVUX5KpEUVr+:ejuB6NTJkoIkVKX5EEya

Score
8/10
evasionpersistencevmprotect

Malware Config

Targets

    • Target

      krampus.rar

    • Size

      12.6MB

    • MD5

      91ca00a1ef292ac54dd6a88aec3c20a0

    • SHA1

      39b9adc83b78c77af5f14409f99a194920fa7205

    • SHA256

      402bcb097fe94f79072e2372d5e082dd0d91d6b8dc3f66435a7fc3f143adc33f

    • SHA512

      a531f5dce2039a9ca0ecad26d3b8d18c7b5e9feb22d9b5d21eaab23493320f9d5f30dc034335bd416706fb7b10ef27b3b51cbd20fc9ed70f0eee43254d009c8c

    • SSDEEP

      393216:ec8FNsBLVoNTJFQ+QoIYQSo4j4WVUX5KpEUVr+:ejuB6NTJkoIkVKX5EEya

    Score
    3/10
    behavioral1

    • Target

      krampus/9WTn3BjK3u2drMyMpZtkaOc.exe

    • Size

      6.0MB

    • MD5

      7943be58fd41da2c7797d8dcc64492f6

    • SHA1

      0c98ecdd366a9c7b5c983f37dafde36f4a3d9ae0

    • SHA256

      e6e2b09d02d832aa0125ca0edd91b6355ed7894486df984bedd3540ef443540f

    • SHA512

      be7ab190c664496c72e9d63248bd12f1cab6b4c0bd16e3f9c74234f6fc6486777870bb96cde9fbafd7a1dc195df3cf7379c57ed672fbbcf5e5631bd243e1336a

    • SSDEEP

      98304:53LZlfmLzff34R/UOcPUfUjH+nXGygrU9ND5DlIl+QyLb4L+DfRLXoV/A:5Yf6XaQU7ht455yl+zi+1A/

    Score
    1/10
    behavioral2

    • Target

      krampus/bypass.exe

    • Size

      7.4MB

    • MD5

      d3c5584fe92fd455a11fbd471367ed19

    • SHA1

      27fbd1494dd1bb3fc342e0d154d488bf1f13840b

    • SHA256

      1d66de5a2e89363766d2c02a734a5d9ad042818c215845db86b35723be291ead

    • SHA512

      a7a8b8cfe8628214b68d57abbea35d8c504f21bdd15a64224e834321e5afa093a7fa8db4dd069b043ddb2b31a73aa628958d656eae3c1eae2662ee50f36df668

    • SSDEEP

      196608:wXyQEUBhASXJXbaH0WE1tTrvOfnDbuQ07t:EE8ASR9WiNunDbuQ07t

    Score
    8/10
    evasionpersistencevmprotect

    • Creates new service(s)

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      krampus/token.txt

    • Size

      12B

    • MD5

      e035b678949309293a0a419c20fd603c

    • SHA1

      cd704a7fbb6aa33b5ea9eb111c2efaf1c9181efa

    • SHA256

      42fa94d9e0662dc5447beac7742aa19ca864e271f1b7fad83c3b52f24ce6d596

    • SHA512

      d99b158a4feca48a94fdcb74da103b2136ee12c7aa81cdfce2600320c874b694ac4bd8906fda9d8667568c6a5284ecf62a6f72b9ae352d1670521d04d8f58912

    Score
    1/10
    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks