General

  • Target

    shtorm_sb.exe

  • Size

    238KB

  • Sample

    240718-r14p9asgrk

  • MD5

    2faf13feda202796051c439b5abd8d48

  • SHA1

    5c2d1f4be4f7dcef2f5577a15ea3f31c59ddbe8b

  • SHA256

    cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b

  • SHA512

    dd46a3f553ff3bf0a39b8f4132d1053ac1758b2befb8a1b096455bd7812f2bcaf29fc9dcf00ef0bb972b4c27e47cc2b347f3fe4e58bab7708be1855fd7bdf2b9

  • SSDEEP

    1536:tDeWitn1NIohnWQoJ0GSbhdp2QfV9XBqn6MHxOwz3i+7BanqY5DW1T:VePbVnhuSbvppn8ROwzrirDcT

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:13244

close-material.gl.at.ply.gg:13244

Attributes
  • Install_directory

    %AppData%

  • install_file

    svсhost.exe

Targets

    • Target

      shtorm_sb.exe

    • Size

      238KB

    • MD5

      2faf13feda202796051c439b5abd8d48

    • SHA1

      5c2d1f4be4f7dcef2f5577a15ea3f31c59ddbe8b

    • SHA256

      cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b

    • SHA512

      dd46a3f553ff3bf0a39b8f4132d1053ac1758b2befb8a1b096455bd7812f2bcaf29fc9dcf00ef0bb972b4c27e47cc2b347f3fe4e58bab7708be1855fd7bdf2b9

    • SSDEEP

      1536:tDeWitn1NIohnWQoJ0GSbhdp2QfV9XBqn6MHxOwz3i+7BanqY5DW1T:VePbVnhuSbvppn8ROwzrirDcT

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks