Resubmissions

21-06-2024 08:21

240621-j8592swhmk 10

21-06-2024 08:19

240621-j8b17swhkk 7

General

  • Target

    Cryptic Release V1.4.4.rar

  • Size

    8.5MB

  • Sample

    240621-j8592swhmk

  • MD5

    64c985237b1a6594cda62bc549619d5f

  • SHA1

    e5dd5aa111aff7d0bca9bfb275eb90ccf5cbebf4

  • SHA256

    d9b85302923cf4d3f70ed1cc6ffd9823005c5020ab89d0bf2d7614f86e412008

  • SHA512

    b3408a6fc2833211b4be54fc17b37b99493538375d4cc598f7777b5609fe2886828282140d18530f9073612b5b4538da57baf90743b38bd7d98d2e1703c5761d

  • SSDEEP

    196608:FmHtN8DJTJ3170UAZ8oNqbNq95sHQWOJ98zvJd5PB1hba5Lg:FmHtOlt317xAZ8oNqxq95DWO3svJdlBd

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Cryptic Release V1.4.4.rar

    • Size

      8.5MB

    • MD5

      64c985237b1a6594cda62bc549619d5f

    • SHA1

      e5dd5aa111aff7d0bca9bfb275eb90ccf5cbebf4

    • SHA256

      d9b85302923cf4d3f70ed1cc6ffd9823005c5020ab89d0bf2d7614f86e412008

    • SHA512

      b3408a6fc2833211b4be54fc17b37b99493538375d4cc598f7777b5609fe2886828282140d18530f9073612b5b4538da57baf90743b38bd7d98d2e1703c5761d

    • SSDEEP

      196608:FmHtN8DJTJ3170UAZ8oNqbNq95sHQWOJ98zvJd5PB1hba5Lg:FmHtOlt317xAZ8oNqxq95DWO3svJdlBd

    Score
    3/10
    • Target

      Cryptic Release V1.4.4/ByfronHook.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    • Target

      Cryptic Release V1.4.4/Cryptic Release V1.4.exe

    • Size

      8.5MB

    • MD5

      3be927d08df2f452185bc35ae5709617

    • SHA1

      e287ba2e481f3768678317e87099afdef4186294

    • SHA256

      f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c

    • SHA512

      89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f

    • SSDEEP

      196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Cryptic Release V1.4.4/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    • Target

      Cryptic Release V1.4.4/bin/autoattach.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    • Target

      Cryptic Release V1.4.4/instructions.txt

    • Size

      350B

    • MD5

      511f8a515b7613bbb254e78afdcb1288

    • SHA1

      c47040632ca1c2d55d08c1faea3f77f932aac008

    • SHA256

      a4473290aa30ca151cc1ff1ea3a1d76915a1975f8461e14ae43a4ad29296bd95

    • SHA512

      4613866fbfa63191c22700e72bb0c54cc20f043fce3a44bdda262f5803d0d02977df8f18a5ac75cb9e0b8b25cb9ee17ec9f97a9f648da7c7a484d9b63c0f5915

    Score
    1/10
    • Target

      Cryptic Release V1.4.4/license.txt

    • Size

      6KB

    • MD5

      0b09566254b011d989decf0e23a902eb

    • SHA1

      3ae5cd6be73daf418b8deee9c865cf78225838c9

    • SHA256

      a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1

    • SHA512

      4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b

    • SSDEEP

      192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1

    Score
    1/10
    • Target

      Cryptic Release V1.4.4/workspace/Saved Scripts.txt

    • Size

      26B

    • MD5

      9aab6209b47a96431718754d4bac5bea

    • SHA1

      671ae2fdf7f41befc2b7fb53a3902cd2d2f35b7f

    • SHA256

      d2d792f0d9bdb064f665174877454ea83f32aa0a571d223c062fb2107352481b

    • SHA512

      860afec17d9e2c88df27042ad0b027c9021ce08b737d7cae39585d3398fd6ee551f81fe0f145aed90a30bec15a07d1e0731cce9c5b5db7141a6cedd42a3a1bd1

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks