General

  • Target

    Cryptic Release V1.4.exe

  • Size

    8.5MB

  • Sample

    240621-npklfs1hpn

  • MD5

    3be927d08df2f452185bc35ae5709617

  • SHA1

    e287ba2e481f3768678317e87099afdef4186294

  • SHA256

    f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c

  • SHA512

    89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f

  • SSDEEP

    196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Cryptic Release V1.4.exe

    • Size

      8.5MB

    • MD5

      3be927d08df2f452185bc35ae5709617

    • SHA1

      e287ba2e481f3768678317e87099afdef4186294

    • SHA256

      f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c

    • SHA512

      89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f

    • SSDEEP

      196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks