Overview

overview

10

Static

static

3

cracutor1....it.dll

windows11-21h2-x64

1

cracutor1....ne.exe

windows11-21h2-x64

3

cracutor1....er.bat

windows11-21h2-x64

10

cracutor1....ity.js

windows11-21h2-x64

3

cracutor1....or.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cracutor-executor-main.zip

  • Size

    3.6MB

  • Sample

    240524-q67hnagb8x

  • MD5

    283b4be19a84b9c8d8b4f65675555dc5

  • SHA1

    81c682de1d5f5a102bee1bbc43a5a367cd666b15

  • SHA256

    108a8547e28be119cf8aaabc2b44e117e599a69297f9e186ab7635dec6e27b04

  • SHA512

    1fa4f108034bfce2c48890ad57105bcd3e21e81e241bfa515162419296fda2af2f774245f53afaafa5f359cbf7283f232fa84e0dcc0ffc79fc7d8c0e81eeb29b

  • SSDEEP

    98304:CVEvJloYM27Bw2eD/s7JMMU2SiMAq12nOUS8A1QMtmF:HJHM2Fwhs7JJ8rB3dlu

Score
10/10
stormkittyxwormexecutionpyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

publisher-misc.gl.at.ply.gg:58207:58207

publisher-misc.gl.at.ply.gg:58207
Attributes
  • Install_directory

    %Temp%

  • install_file

    RuntimeBroker.exe

Targets

    • Target

      cracutor1.0/cracutor (1)/ICSharpCode.AvalonEdit.dll

    • Size

      606KB

    • MD5

      b017eb5c0f851971f9ebd816efac43cc

    • SHA1

      ca1ade1b09f1667963242f49f2b97feaed76ce08

    • SHA256

      bf15ddb6056e9654ad66641752f8e7cbabf6e0171ef3c671cd70d844855e9d62

    • SHA512

      ed03fabe2701f5648d7cc767be059b0ffc3f2824475963c49b8ac68634f0b5cdde8dc15d3f02a39c61f85736d607598e2bab8e39c065a6476879ed4729e9c930

    • SSDEEP

      6144:QxYTpmH0OfxomgEFQP2fEqnkCOx7G0h7vcThz52gkjNuY+535n+kUXjWUUK8tKNz:QKTpmH7CJxiaeN2gkUn5UNH/

    Score
    1/10
    behavioral1

    • Target

      cracutor1.0/cracutor (1)/Neptune.exe

    • Size

      2.0MB

    • MD5

      03d0c69e31fd77718e661722361c0a5c

    • SHA1

      04e02539771963a628477f6546be48d2d912a612

    • SHA256

      255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78

    • SHA512

      94ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986

    • SSDEEP

      49152:DBg2KouMMLSgIOiJgX+JvYLF1ESGbYGcJcDKbw:djKouMaXc4F1cmuDKb

    Score
    3/10
    behavioral2

    • Target

      cracutor1.0/cracutor (1)/RuntimeBroker.bat

    • Size

      1.4MB

    • MD5

      5f2ca709edfb4aab62c0d293fc078a8d

    • SHA1

      e0ee77775465e261c7e0f48643c6d66af21841c2

    • SHA256

      5edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05

    • SHA512

      833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf

    • SSDEEP

      24576:Jo2hIxM0iKuWJzW21FPYEbTT9bLZfSRAHRtaBLmc2ZlzLMLM1XwXuV:s++iu3b15f7t4l0LMLM0uV

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    • Executes dropped EXE

    behavioral3

    • Target

      cracutor1.0/cracutor (1)/Scripts/Infinity.txt

    • Size

      431KB

    • MD5

      9ffb895c478c5c4ac3d0d3137d3843c9

    • SHA1

      f7562a1a7af6267d13436f1a4a64decbd9eb9635

    • SHA256

      dd9e7382501343c4acdb40a13d55dbfef9f10fb6adfb3664be404ee2a11cc663

    • SHA512

      dac83ec892c3e9a07a1ef809ca7ad2eab017c8c8349240878ee6ce2dfe7a350f9849af70bd3fbba8e476edadb98aec80d967086e4a4fd8b0c23c3450da02d028

    • SSDEEP

      6144:Gj/ItvuAewoSbr8ATyFE/T8Nm8TjmniX+1lpk0GWC8BwxA3PyTeD+z:Gj/Itvvbw6yFE2SniXmD+z

    Score
    3/10
    execution
    behavioral4

    • Target

      cracutor1.0/cracutor (1)/cracutor.bat

    • Size

      1.4MB

    • MD5

      000a836508cfa074075fa018fdb42d5f

    • SHA1

      e7690ef953435c37959639a579aee9fcc911b90e

    • SHA256

      b1a9d16d628c1d565fa577310ea64da8510ecd7f55e83e7de46c28c1c7b186f4

    • SHA512

      9899da986961105d6d6abe83403ff471d338fea3335b0df5e005db61429c7db843633a66e45cbbbfd8df82e37147816090eabae97747aa75df9495848d333863

    • SSDEEP

      24576:PSNWms9W6b/wu9Fs1i2sBLr3O39YEraFMcNg8K0C1yywyY9+iWBxKXDcungX94uO:aScQ4CfF3OL8XDCyn

    Score
    10/10
    stormkittyxwormexecutionpyinstallerratspywarestealertrojan

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

JavaScript

1
T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks