Overview

overview

10

Static

static

3

CrystalSiegeDemo.exe

windows10-ltsc 2021-x64

10

CrystalSiegeDemo.exe

windows11-21h2-x64

10

CrystalSiege.exe

windows10-ltsc 2021-x64

10

CrystalSiege.exe

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    CrystalSiegeDemo.exe

  • Size

    75.3MB

  • Sample

    241123-a42xdszjhj

  • MD5

    dca3aa12fd423c78cd8b8f9f1ee4907b

  • SHA1

    2d19741921127faac6f94fa8822a8603a0879611

  • SHA256

    b7ca33c868d337fdb80802f2b5b7ea545297de765553df419e0b53aae6b3d542

  • SHA512

    77b33f9edae904afc1bc8678e2cc727b29c07fd131a78af49952c35d086380f49681fbed24d9d6e3518dfb1db060553da23fb12294f7fa175fe879edd95112d6

  • SSDEEP

    1572864:pPJ39Kk9MiVQ0bWrZjB8ceyIS7nqYdd6hIEhSmn6nlN/QFzs9:pak9MJu2j/vP7nMhJnUXQC9

Score
10/10
hexoncredential_accessdiscoveryspywarestealer

Malware Config

Targets

    • Target

      CrystalSiegeDemo.exe

    • Size

      75.3MB

    • MD5

      dca3aa12fd423c78cd8b8f9f1ee4907b

    • SHA1

      2d19741921127faac6f94fa8822a8603a0879611

    • SHA256

      b7ca33c868d337fdb80802f2b5b7ea545297de765553df419e0b53aae6b3d542

    • SHA512

      77b33f9edae904afc1bc8678e2cc727b29c07fd131a78af49952c35d086380f49681fbed24d9d6e3518dfb1db060553da23fb12294f7fa175fe879edd95112d6

    • SSDEEP

      1572864:pPJ39Kk9MiVQ0bWrZjB8ceyIS7nqYdd6hIEhSmn6nlN/QFzs9:pak9MJu2j/vP7nMhJnUXQC9

    Score
    10/10
    hexoncredential_accessdiscoveryspywarestealer

    • Hexon family

      hexon

    • Hexon stealer

      Hexon is a stealer written in Electron NodeJS.

      stealerhexon

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

    • Target

      CrystalSiege.exe

    • Size

      154.6MB

    • MD5

      ff881bc6d9f56f353232a177575d0f1f

    • SHA1

      9d2fea770f59f05a6480a5f8915227bc6457f74c

    • SHA256

      690323b53f29fd18687a9049d7c4c26cb8346a8a4b65c51660a55ae6141f4dab

    • SHA512

      e5bdda697e1572c969081548a84d3553fcd3ea45395eb0de2ae9f0f91308fd54edf0eb222d1d8cb99a12e83196cb3364488e86ebc4991eb63937dd7a1662fc5e

    • SSDEEP

      1572864:gTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Tv6E70+Mk

    Score
    10/10
    hexoncredential_accessdiscoveryspywarestealer

    • Hexon family

      hexon

    • Hexon stealer

      Hexon is a stealer written in Electron NodeJS.

      stealerhexon

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates processes with tasklist

      discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks