Resubmissions

15-05-2024 20:48

240515-zlh41abe76 10

15-05-2024 20:44

240515-zjbbdaba7t 10

General

  • Target

    Nurik Crack.exe

  • Size

    17.1MB

  • Sample

    240515-zjbbdaba7t

  • MD5

    b7f43033dec1673444774fff98ce38a2

  • SHA1

    98c5e478d0442b04610742dc997ad227f63ab5bb

  • SHA256

    c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0

  • SHA512

    7e04c6491b659a51ce33c25c4d1e246850228d3098f22c82d4aa25df2726d69ce8d784d0c40376516c1b78aa8d9a0d5c7a2d1b7b57572b04e9fa532a6dac7ee1

  • SSDEEP

    393216:NUXX0vOtgLY3q/kXpUbIicANsdh9IvI4I4dHK/w/ZZqplCyLIr:CKaBPZUbIEyXuJPZGDIr

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1337

104.28.229.13:1337

192.168.2.133:1337

Attributes
  • Install_directory

    %ProgramData%

  • telegram

    https://api.telegram.org/bot6911706583:AAGIck5-GICDZLswgqJrJgL5L_TBxq7tj7Y/sendMessage?chat_id=6727135086

Targets

    • Target

      Nurik Crack.exe

    • Size

      17.1MB

    • MD5

      b7f43033dec1673444774fff98ce38a2

    • SHA1

      98c5e478d0442b04610742dc997ad227f63ab5bb

    • SHA256

      c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0

    • SHA512

      7e04c6491b659a51ce33c25c4d1e246850228d3098f22c82d4aa25df2726d69ce8d784d0c40376516c1b78aa8d9a0d5c7a2d1b7b57572b04e9fa532a6dac7ee1

    • SSDEEP

      393216:NUXX0vOtgLY3q/kXpUbIicANsdh9IvI4I4dHK/w/ZZqplCyLIr:CKaBPZUbIEyXuJPZGDIr

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks