Overview
overview
10Static
static
10KraxxStealer-main.zip
windows7-x64
10KraxxStealer-main.zip
windows10-2004-x64
1KraxxSteal...OS.zip
windows7-x64
1KraxxSteal...OS.zip
windows10-2004-x64
1Kraxx-Buil...er.exe
windows7-x64
10Kraxx-Buil...er.exe
windows10-2004-x64
10Kraxx-Buil...nt.xml
windows7-x64
3Kraxx-Buil...nt.xml
windows10-2004-x64
1Kraxx-Buil...ed.xml
windows7-x64
3Kraxx-Buil...ed.xml
windows10-2004-x64
1Kraxx-Buil...ce.dll
windows10-2004-x64
3Kraxx-Buil...fi.dll
windows7-x64
1Kraxx-Buil...fi.dll
windows10-2004-x64
1Kraxx-Buil...fi.dll
windows7-x64
1Kraxx-Buil...fi.dll
windows10-2004-x64
1Kraxx-Buil...ce.dll
windows10-2004-x64
1Kraxx-Buil...fi.dll
windows7-x64
1Kraxx-Buil...fi.dll
windows10-2004-x64
1Kraxx-Buil...VM.exe
windows7-x64
1Kraxx-Buil...VM.exe
windows10-2004-x64
1Kraxx-Buil...Notice
windows7-x64
1Kraxx-Buil...Notice
windows10-2004-x64
1Kraxx-Buil...SP.dll
windows10-2004-x64
1KraxxSteal...DME.md
windows7-x64
3KraxxSteal...DME.md
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 10:02
Behavioral task
behavioral1
Sample
KraxxStealer-main.zip
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
KraxxStealer-main.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
KraxxStealer-main/Kraxx-OS.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
KraxxStealer-main/Kraxx-OS.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Kraxx-Builder/Kraxx-OS-Builder/Kraxx-Builder.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Kraxx-Builder/Kraxx-OS-Builder/Kraxx-Builder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/AssemblyList_4_client.xml
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/AssemblyList_4_client.xml
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/AssemblyList_4_extended.xml
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/AssemblyList_4_extended.xml
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/TableTextService.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/bootmgfw.efi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/bootmgfw.efi.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/bootmgr.efi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/bootmgr.efi.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/en-US/TableTextService.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/memtest.efi.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
Kraxx-Builder/Kraxx-OS-Builder/Settings/memtest.efi.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Kraxx-Builder/Kraxx-OS-Builder/Source/SenseTVM.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
Kraxx-Builder/Kraxx-OS-Builder/Source/SenseTVM.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Kraxx-Builder/Kraxx-OS-Builder/Source/ThirdPartyNotice
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Kraxx-Builder/Kraxx-OS-Builder/Source/ThirdPartyNotice
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Kraxx-Builder/Kraxx-OS-Builder/Source/WATPCSP.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
KraxxStealer-main/README.md
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
KraxxStealer-main/README.md
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
KraxxStealer-main.zip
-
Size
1.2MB
-
MD5
73222b81f9ef5fc735a5d905a305b22d
-
SHA1
33135b6ca277c58df56aa490b60383c431905fa0
-
SHA256
68ea23c1515b2306e607ce7b124f9314b4af9ee2572e23550b3ac1a8dd3b43e6
-
SHA512
ae927b2882ea7244b6813534916769664cdd41d11e21b667e5b52d6194972418ff418db5e1882eb7ea47a0fb6e8ac94a773bf105e32e0d868e79b2d641b267c7
-
SSDEEP
24576:U1D05gOqzT1PnVlUP8TBRRtzsmE6fwdQtbF/HfKlrtE8DGuVEEv1/P:15+T17q83HzsmEqtb1KBtEqGeEEv1/P
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016cc4-4.dat family_umbral behavioral1/memory/1304-11-0x00000000000F0000-0x0000000000130000-memory.dmp family_umbral -
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2536 powershell.exe 2668 powershell.exe 2224 powershell.exe 1948 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1304 Kraxx-Builder.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1712 wmic.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2536 powershell.exe 2668 powershell.exe 2224 powershell.exe 2788 powershell.exe 1948 powershell.exe 2404 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2404 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2404 7zFM.exe Token: 35 2404 7zFM.exe Token: SeSecurityPrivilege 2404 7zFM.exe Token: SeSecurityPrivilege 2404 7zFM.exe Token: SeDebugPrivilege 1304 Kraxx-Builder.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeIncreaseQuotaPrivilege 2000 wmic.exe Token: SeSecurityPrivilege 2000 wmic.exe Token: SeTakeOwnershipPrivilege 2000 wmic.exe Token: SeLoadDriverPrivilege 2000 wmic.exe Token: SeSystemProfilePrivilege 2000 wmic.exe Token: SeSystemtimePrivilege 2000 wmic.exe Token: SeProfSingleProcessPrivilege 2000 wmic.exe Token: SeIncBasePriorityPrivilege 2000 wmic.exe Token: SeCreatePagefilePrivilege 2000 wmic.exe Token: SeBackupPrivilege 2000 wmic.exe Token: SeRestorePrivilege 2000 wmic.exe Token: SeShutdownPrivilege 2000 wmic.exe Token: SeDebugPrivilege 2000 wmic.exe Token: SeSystemEnvironmentPrivilege 2000 wmic.exe Token: SeRemoteShutdownPrivilege 2000 wmic.exe Token: SeUndockPrivilege 2000 wmic.exe Token: SeManageVolumePrivilege 2000 wmic.exe Token: 33 2000 wmic.exe Token: 34 2000 wmic.exe Token: 35 2000 wmic.exe Token: SeIncreaseQuotaPrivilege 2000 wmic.exe Token: SeSecurityPrivilege 2000 wmic.exe Token: SeTakeOwnershipPrivilege 2000 wmic.exe Token: SeLoadDriverPrivilege 2000 wmic.exe Token: SeSystemProfilePrivilege 2000 wmic.exe Token: SeSystemtimePrivilege 2000 wmic.exe Token: SeProfSingleProcessPrivilege 2000 wmic.exe Token: SeIncBasePriorityPrivilege 2000 wmic.exe Token: SeCreatePagefilePrivilege 2000 wmic.exe Token: SeBackupPrivilege 2000 wmic.exe Token: SeRestorePrivilege 2000 wmic.exe Token: SeShutdownPrivilege 2000 wmic.exe Token: SeDebugPrivilege 2000 wmic.exe Token: SeSystemEnvironmentPrivilege 2000 wmic.exe Token: SeRemoteShutdownPrivilege 2000 wmic.exe Token: SeUndockPrivilege 2000 wmic.exe Token: SeManageVolumePrivilege 2000 wmic.exe Token: 33 2000 wmic.exe Token: 34 2000 wmic.exe Token: 35 2000 wmic.exe Token: SeIncreaseQuotaPrivilege 2032 wmic.exe Token: SeSecurityPrivilege 2032 wmic.exe Token: SeTakeOwnershipPrivilege 2032 wmic.exe Token: SeLoadDriverPrivilege 2032 wmic.exe Token: SeSystemProfilePrivilege 2032 wmic.exe Token: SeSystemtimePrivilege 2032 wmic.exe Token: SeProfSingleProcessPrivilege 2032 wmic.exe Token: SeIncBasePriorityPrivilege 2032 wmic.exe Token: SeCreatePagefilePrivilege 2032 wmic.exe Token: SeBackupPrivilege 2032 wmic.exe Token: SeRestorePrivilege 2032 wmic.exe Token: SeShutdownPrivilege 2032 wmic.exe Token: SeDebugPrivilege 2032 wmic.exe Token: SeSystemEnvironmentPrivilege 2032 wmic.exe Token: SeRemoteShutdownPrivilege 2032 wmic.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2404 7zFM.exe 2404 7zFM.exe 2404 7zFM.exe 2404 7zFM.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1304 2404 7zFM.exe 31 PID 2404 wrote to memory of 1304 2404 7zFM.exe 31 PID 2404 wrote to memory of 1304 2404 7zFM.exe 31 PID 1304 wrote to memory of 2536 1304 Kraxx-Builder.exe 32 PID 1304 wrote to memory of 2536 1304 Kraxx-Builder.exe 32 PID 1304 wrote to memory of 2536 1304 Kraxx-Builder.exe 32 PID 1304 wrote to memory of 2668 1304 Kraxx-Builder.exe 34 PID 1304 wrote to memory of 2668 1304 Kraxx-Builder.exe 34 PID 1304 wrote to memory of 2668 1304 Kraxx-Builder.exe 34 PID 1304 wrote to memory of 2224 1304 Kraxx-Builder.exe 36 PID 1304 wrote to memory of 2224 1304 Kraxx-Builder.exe 36 PID 1304 wrote to memory of 2224 1304 Kraxx-Builder.exe 36 PID 1304 wrote to memory of 2788 1304 Kraxx-Builder.exe 38 PID 1304 wrote to memory of 2788 1304 Kraxx-Builder.exe 38 PID 1304 wrote to memory of 2788 1304 Kraxx-Builder.exe 38 PID 1304 wrote to memory of 2000 1304 Kraxx-Builder.exe 40 PID 1304 wrote to memory of 2000 1304 Kraxx-Builder.exe 40 PID 1304 wrote to memory of 2000 1304 Kraxx-Builder.exe 40 PID 1304 wrote to memory of 2032 1304 Kraxx-Builder.exe 43 PID 1304 wrote to memory of 2032 1304 Kraxx-Builder.exe 43 PID 1304 wrote to memory of 2032 1304 Kraxx-Builder.exe 43 PID 1304 wrote to memory of 2900 1304 Kraxx-Builder.exe 45 PID 1304 wrote to memory of 2900 1304 Kraxx-Builder.exe 45 PID 1304 wrote to memory of 2900 1304 Kraxx-Builder.exe 45 PID 1304 wrote to memory of 1948 1304 Kraxx-Builder.exe 47 PID 1304 wrote to memory of 1948 1304 Kraxx-Builder.exe 47 PID 1304 wrote to memory of 1948 1304 Kraxx-Builder.exe 47 PID 1304 wrote to memory of 1712 1304 Kraxx-Builder.exe 49 PID 1304 wrote to memory of 1712 1304 Kraxx-Builder.exe 49 PID 1304 wrote to memory of 1712 1304 Kraxx-Builder.exe 49
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\KraxxStealer-main.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\7zO4694F237\Kraxx-Builder.exe"C:\Users\Admin\AppData\Local\Temp\7zO4694F237\Kraxx-Builder.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO4694F237\Kraxx-Builder.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:1712
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD51c615c8e4fc8fbbf2519a03471cdac01
SHA15388ec05cbe0f0928ae7f9be41ed99a5a5607d05
SHA256035d79db8e3afcf56dfc240fb3df650409d78ae18d7f7eafdf00d38a5c520fa3
SHA5123c624edec97f885aaf06ffa5d0628e453fcb76066524ac7316dbcf85f20ab4605616234b6348c3cad17d8057a6db7ae0b16f8bf44a950326244a98bd1b615ce2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD549556497703b3dbbf40ca72c2d17d81c
SHA141ee97fd724cd5902269f479b59825b7f2a128a0
SHA2560a577076772288adb758a95db5718a080b67bb82d202ea0ba501f2092042181d
SHA5121623fbb47671a72abd2d2ba88f76b694b7a7a8dcaa2fdea687d82ee9dd970503ef74fb3474fd54e6f8a87d67558ed8393cbbb2021baadd50863da0b134a48eba