General

  • Target

    5a263375f836ca004e5a13e840b4227be54534ca0e25c6f6c36e2dfe5be0a43e

  • Size

    2.9MB

  • Sample

    240618-1qq6vaxdmg

  • MD5

    dad2e8d95842b3c6679fa25b97927eb9

  • SHA1

    0d2fcd1a07437e73ec2005f21bc3b61e3448ac13

  • SHA256

    5a263375f836ca004e5a13e840b4227be54534ca0e25c6f6c36e2dfe5be0a43e

  • SHA512

    a9163b2d88be7c205ab9ec687ebedc1f264d738b2fcf09815c9934130bc6145d749bd58fb921f1d0ac79c9853ae5bd8da625c95f289d2cd28d706b2e066c60e4

  • SSDEEP

    49152:lbA30DB8OgeyTiE4LrEqh4JJILzCkp/SzrIXKgltQlZ9mwm/PU5KLOR0qkM8+Ouy:lbZGey+E4LwW4IuzrIXltEDjm/PtLORo

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:15221

6.tcp.eu.ngrok.io:15221

4.tcp.eu.ngrok.io:15221

0.tcp.eu.ngrok.io:15221

5.tcp.eu.ngrok.io:15221

2.tcp.eu.ngrok.io:15221

7.tcp.eu.ngrok.io:15221

Mutex

MgZFygjRnALbM4BW

Attributes
  • Install_directory

    %Public%

  • install_file

    SecurityHealthSystray.exe

aes.plain

Targets

    • Target

      5a263375f836ca004e5a13e840b4227be54534ca0e25c6f6c36e2dfe5be0a43e

    • Size

      2.9MB

    • MD5

      dad2e8d95842b3c6679fa25b97927eb9

    • SHA1

      0d2fcd1a07437e73ec2005f21bc3b61e3448ac13

    • SHA256

      5a263375f836ca004e5a13e840b4227be54534ca0e25c6f6c36e2dfe5be0a43e

    • SHA512

      a9163b2d88be7c205ab9ec687ebedc1f264d738b2fcf09815c9934130bc6145d749bd58fb921f1d0ac79c9853ae5bd8da625c95f289d2cd28d706b2e066c60e4

    • SSDEEP

      49152:lbA30DB8OgeyTiE4LrEqh4JJILzCkp/SzrIXKgltQlZ9mwm/PU5KLOR0qkM8+Ouy:lbZGey+E4LwW4IuzrIXltEDjm/PtLORo

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects Windows executables referencing non-Windows User-Agents

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks