General
-
Target
CrackLauncher.exe
-
Size
2.8MB
-
Sample
240726-v6j5ksxanh
-
MD5
f2ce023c5bc17140b9776f0c7c47913d
-
SHA1
c35da6e6fec72b5bd8918d9a370a86347e6d3388
-
SHA256
532c0ef8e8b0d52ca5cb608fbb92d0f3ac676573e70505380e3f3c5a447811fa
-
SHA512
c6ec3df9578e79b0fa1c6637cc89ce4f19936192e4ce557f0af55c41bd879639acd837c5114b8c6162fe32417bb28d452bdc1c8f98dbff3e31e8d88541b4619b
-
SSDEEP
49152:i5zytOoH9xol9B5e29dCIKrm21PLybe4Ny5KHfNbki93Mky:iPoHHch13CIMm21P4e4Ny5K1r93e
Static task
static1
Behavioral task
behavioral1
Sample
CrackLauncher.exe
Resource
win7-20240708-en
Malware Config
Extracted
xworm
main-although.gl.at.ply.gg:30970
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
CrackLauncher.exe
-
Size
2.8MB
-
MD5
f2ce023c5bc17140b9776f0c7c47913d
-
SHA1
c35da6e6fec72b5bd8918d9a370a86347e6d3388
-
SHA256
532c0ef8e8b0d52ca5cb608fbb92d0f3ac676573e70505380e3f3c5a447811fa
-
SHA512
c6ec3df9578e79b0fa1c6637cc89ce4f19936192e4ce557f0af55c41bd879639acd837c5114b8c6162fe32417bb28d452bdc1c8f98dbff3e31e8d88541b4619b
-
SSDEEP
49152:i5zytOoH9xol9B5e29dCIKrm21PLybe4Ny5KHfNbki93Mky:iPoHHch13CIMm21P4e4Ny5K1r93e
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-