Overview

overview

10

Static

static

10

Krampus/B1...BH.exe

windows7-x64

10

Krampus/B1...BH.exe

windows10-2004-x64

10

Krampus/ON...EN.exe

windows7-x64

7

Krampus/ON...EN.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Bloxtrap.exe

windows7-x64

1

Bloxtrap.exe

windows10-2004-x64

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C437rPSQNVzgjPbIKiUZsEqostl9FnPve5mDqEpa.zip

  • Size

    66.1MB

  • Sample

    240427-k6qx1sga8y

  • MD5

    6c6cf43a66079c890cc9dd419efeae4f

  • SHA1

    9675f1b6460cb16ea766335b83465b358255ee62

  • SHA256

    8117e22fbace37f3ed1dfdcc6567e655619970990acd0df94bd83996a7bdc957

  • SHA512

    1896eb26337ea92ee931a26c5d13e03df77a3a88deb1b5055aca158c3c0f8e74ed535e2790c7ec305335f6bd473c4dacb3cdb4ae1b661601b7f6389271bb4523

  • SSDEEP

    1572864:mJVa7OvQzyw/liz3XkU+G7Ayf7EfuqDDadM14ygCzEg6ZS80h//:tOvQzywEzX55fksCAgsS8a//

Score
10/10
xwormpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/z5PQ82wE

Targets

    • Target

      Krampus/B1OdUv8CBH.exe

    • Size

      1.0MB

    • MD5

      73a20ee98214059033a93ff5da62d903

    • SHA1

      a35422a4969f7d79fc9cf597cf40b7456d5b05d8

    • SHA256

      5df7cf7c7d153a0e55b0ca9299d00c26625e70cff3613540c5718fe74e4c7d12

    • SHA512

      7c3b08ebbc57467aa3615b14d7ea6f629e03e49c17d6268f62345cc58f4ca9823e45ef101c1e247db354ca944481470f94f9c226bc7774f78da9ad0185a76b47

    • SSDEEP

      1536:ZAiYlXZeFi9eKNVlb8i7ZUNQmD4O+HoddUT:anpo2Xb8C8D4OUoET

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Krampus/ONLY RUN THIS IF IT DOESNT OPEN.exe

    • Size

      65.8MB

    • MD5

      7843ebba5f00c26945ffc032e71a4163

    • SHA1

      d0911a0e6e382cac3a3222bb587e29a9ce693d2d

    • SHA256

      fe114a523c18b9272554ededc7cb031b3aaf4dde03c6fbbe0ef3ce4b26f1211e

    • SHA512

      9b416f7f8eabffd377540deb558efcee8df4d1a6d12b2df2d48a23717cfe4b3aee842d6ec3d3e3e461508b31c1317df80251fd157f13111a7528f57000ecb3ff

    • SSDEEP

      1572864:9rziNx5qvoWg1ohltSg0eD0ApfkxUAv/iryZwOcS/QW956EiPc7:Yx5qvoWR/tJLD0ASoWr6EUc7

    Score
    7/10
    persistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral3behavioral4

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    behavioral7behavioral8

    • Target

      Bloxtrap.exe

    • Size

      154.5MB

    • MD5

      0daf58dbc703cbe8e60639216cc04798

    • SHA1

      26ef3e3ad52f9efb1a3f172f537ec48ee24fbedc

    • SHA256

      920bffc0ec1e85fbab67c59f83f8a673ab8ed764b0ea3cc92e4bc7665e040bbf

    • SHA512

      fa48d615524827ef598f6e432080ed35f824de3d56e8f6b9ed853d6caf1848580e503209b1002f2c7b666734ad08a17c9e705be8029afe900793d8288b32b437

    • SSDEEP

      1572864:2CquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:MDAgZi

    Score
    7/10
    persistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral10behavioral9

    • Target

      LICENSES.chromium.html

    • Size

      6.5MB

    • MD5

      180f8acc70405077badc751453d13625

    • SHA1

      35dc54acad60a98aeec47c7ade3e6a8c81f06883

    • SHA256

      0bfa9a636e722107b6192ff35c365d963a54e1de8a09c8157680e8d0fbbfba1c

    • SHA512

      40d3358b35eb0445127c70deb0cb87ec1313eca285307cda168605a4fd3d558b4be9eb24a59568eca9ee1f761e578c39b2def63ad48e40d31958db82f128e0ec

    • SSDEEP

      24576:d7rs5kjWSnB3lWNeUmf0f6W6M6q6A6r/HXpErpem:rovj

    Score
    1/10
    behavioral11behavioral12

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      cb9807f6cf55ad799e920b7e0f97df99

    • SHA1

      bb76012ded5acd103adad49436612d073d159b29

    • SHA256

      5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

    • SHA512

      f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

    • SSDEEP

      49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8cc:oy904wYbZCoOI85oyI

    Score
    1/10
    behavioral13

    • Target

      ffmpeg.dll

    • Size

      2.7MB

    • MD5

      d49e7a8f096ad4722bd0f6963e0efc08

    • SHA1

      6835f12391023c0c7e3c8cc37b0496e3a93a5985

    • SHA256

      f11576bf7ffbc3669d1a5364378f35a1ed0811b7831528b6c4c55b0cdc7dc014

    • SHA512

      ca50c28d6aac75f749ed62eec8acbb53317f6bdcef8794759af3fad861446de5b7fa31622ce67a347949abb1098eccb32689b4f1c54458a125bc46574ad51575

    • SSDEEP

      49152:XMoI7Qj3trgDtcfkW76fSL5Yqq6uthy4Y6NO8PyJegPTagrcjdiCOi2iNN3lzl3U:H3Kk76fUq/4TagreBOirnW

    Score
    1/10
    behavioral14behavioral15

    • Target

      libEGL.dll

    • Size

      468KB

    • MD5

      09134e6b407083baaedf9a8c0bce68f2

    • SHA1

      8847344cceeab35c1cdf8637af9bd59671b4e97d

    • SHA256

      d2107ba0f4e28e35b22837c3982e53784d15348795b399ad6292d0f727986577

    • SHA512

      6ff3adcb8be48d0b505a3c44e6550d30a8feaf4aa108982a7992ed1820c06f49e0ad48d9bd92685fb82783dfd643629bd1fe4073300b61346b63320cbdb051ba

    • SSDEEP

      12288:su0LAjbIkyVVR8O9v/6TiT5eU3axzvYwo:sub49/6TiQzvYX

    Score
    1/10
    behavioral16behavioral17

    • Target

      libGLESv2.dll

    • Size

      7.2MB

    • MD5

      a5f1921e6dcde9eaf42e2ccc82b3d353

    • SHA1

      1f6f4df99ae475acec4a7d3910badb26c15919d1

    • SHA256

      50c4dc73d69b6c0189eab56d27470ee15f99bbbc12bfd87ebe9963a7f9ba404e

    • SHA512

      0c24ae7d75404adf8682868d0ebf05f02bbf603f7ddd177cf2af5726802d0a5afcf539dc5d68e10dab3fcfba58903871c9c81054560cf08799af1cc88f33c702

    • SSDEEP

      98304:BuT3g23jeZ/02YPuLaw5RoD1rfEQ3CPdOEabcgsOMdi:BuDPTwLap14QzEijsvi

    Score
    1/10
    behavioral18behavioral19

    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    1/10
    behavioral20behavioral21

    • Target

      vk_swiftshader.dll

    • Size

      5.0MB

    • MD5

      a0845e0774702da9550222ab1b4fded7

    • SHA1

      65d5bd6c64090f0774fd0a4c9b215a868b48e19b

    • SHA256

      6150a413ebe00f92f38737bdccf493d19921ef6329fcd48e53de9dbde4780810

    • SHA512

      4be0cb1e3c942a1695bae7b45d21c5f70e407132ecc65efb5b085a50cdab3c33c26e90bd7c86198ec40fb2b18d026474b6c649776a3ca2ca5bff6f922de2319b

    • SSDEEP

      49152:tG7ixZvPbWjIXTFy1RYQZHJvuZBiDTwgvsrt5/PXd0kpmaN+WUf4CvB25zT7RCAq:c7iDPqjvzO1Lhgf49zT7grg4

    Score
    1/10
    behavioral22behavioral23

    • Target

      vulkan-1.dll

    • Size

      899KB

    • MD5

      0e4e0f481b261ea59f196e5076025f77

    • SHA1

      c73c1f33b5b42e9d67d819226db69e60d2262d7b

    • SHA256

      f681844896c084d2140ac210a974d8db099138fe75edb4df80e233d4b287196a

    • SHA512

      e6127d778ec73acbeb182d42e5cf36c8da76448fbdab49971de88ec4eb13ce63140a2a83fc3a1b116e41f87508ff546c0d7c042b8f4cdd9e07963801f3156ba2

    • SSDEEP

      24576:PR9nl1crwjLAQw6Z5WUDYsH56g3P0zAk7:PR1l1culw6Z5WUDYsH56g3P0zAk7

    Score
    1/10
    behavioral24behavioral25

    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10
    behavioral26behavioral27

MITRE ATT&CK Enterprise v15

Tasks