General

  • Target

    CrackLauncher.exe

  • Size

    2.8MB

  • Sample

    240726-v6j5ksxanh

  • MD5

    f2ce023c5bc17140b9776f0c7c47913d

  • SHA1

    c35da6e6fec72b5bd8918d9a370a86347e6d3388

  • SHA256

    532c0ef8e8b0d52ca5cb608fbb92d0f3ac676573e70505380e3f3c5a447811fa

  • SHA512

    c6ec3df9578e79b0fa1c6637cc89ce4f19936192e4ce557f0af55c41bd879639acd837c5114b8c6162fe32417bb28d452bdc1c8f98dbff3e31e8d88541b4619b

  • SSDEEP

    49152:i5zytOoH9xol9B5e29dCIKrm21PLybe4Ny5KHfNbki93Mky:iPoHHch13CIMm21P4e4Ny5K1r93e

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      CrackLauncher.exe

    • Size

      2.8MB

    • MD5

      f2ce023c5bc17140b9776f0c7c47913d

    • SHA1

      c35da6e6fec72b5bd8918d9a370a86347e6d3388

    • SHA256

      532c0ef8e8b0d52ca5cb608fbb92d0f3ac676573e70505380e3f3c5a447811fa

    • SHA512

      c6ec3df9578e79b0fa1c6637cc89ce4f19936192e4ce557f0af55c41bd879639acd837c5114b8c6162fe32417bb28d452bdc1c8f98dbff3e31e8d88541b4619b

    • SSDEEP

      49152:i5zytOoH9xol9B5e29dCIKrm21PLybe4Ny5KHfNbki93Mky:iPoHHch13CIMm21P4e4Ny5K1r93e

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks