Overview

overview

10

Static

static

10

CraxsRat v...ny.dll

windows7-x64

1

CraxsRat v...ny.dll

windows10-2004-x64

1

CraxsRat v...ss.dll

windows7-x64

1

CraxsRat v...ss.dll

windows10-2004-x64

1

CraxsRat v...��.exe

windows7-x64

10

CraxsRat v...��.exe

windows10-2004-x64

10

CraxsRat v...rk.dll

windows7-x64

1

CraxsRat v...rk.dll

windows10-2004-x64

1

CraxsRat v...ys.dll

windows7-x64

1

CraxsRat v...ys.dll

windows10-2004-x64

1

CraxsRat v...PS.dll

windows7-x64

1

CraxsRat v...PS.dll

windows10-2004-x64

1

CraxsRat v...ms.dll

windows7-x64

1

CraxsRat v...ms.dll

windows10-2004-x64

1

CraxsRat v...pf.dll

windows7-x64

1

CraxsRat v...pf.dll

windows10-2004-x64

1

CraxsRat v...ts.dll

windows7-x64

1

CraxsRat v...ts.dll

windows10-2004-x64

1

CraxsRat v...io.dll

windows7-x64

1

CraxsRat v...io.dll

windows10-2004-x64

1

CraxsRat v...on.dll

windows7-x64

1

CraxsRat v...on.dll

windows10-2004-x64

1

CraxsRat v...le.dll

windows7-x64

1

CraxsRat v...le.dll

windows10-2004-x64

1

CraxsRat v...el.lnk

windows7-x64

3

CraxsRat v...el.lnk

windows10-2004-x64

7

CraxsRat v...rk.exe

windows7-x64

1

CraxsRat v...rk.exe

windows10-2004-x64

1

CraxsRat v...et.dll

windows7-x64

1

CraxsRat v...et.dll

windows10-2004-x64

1

CraxsRat v...xs.dll

windows7-x64

1

CraxsRat v...xs.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CraxsRat v7.6‌‌‌ Fixed.7z

  • Size

    239.7MB

  • Sample

    241129-wj8p4atmam

  • MD5

    f39a0d80ef824edc845505ace1de2be1

  • SHA1

    d7fab1a12030ffb0bde872b61da891e1621afc40

  • SHA256

    883fc0b0feb4c295bdb723c9bb3817ee7c2c413f2e8b6ea961aa9173b065b930

  • SHA512

    8e7c86dfc110a41675983ab16f7640b72c9e98e34f11c1cce2122471e4c0c5c33842be7afbe9f2d3e2401a5a9ca2cb203f63744561db30b18b63e1051749d0d0

  • SSDEEP

    6291456:z8b9l/WiziHnJ6EJJCKhQmwJd+IqWLxOfBhp3ZHgTtN1i4:zQJiHJ6EqKxudSWiBbmTtN1

Score
10/10
neshtaxwormagilenetdiscoveryevasionexecutionratthemidatrojan

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    taskhostw.exe

  • telegram

    https://api.telegram.org/bot7825054734:AAGZqFAN8E4lv2mzGaChvBqZKYsgV2POVt4/sendMessage?chat_id=6801210841

Targets

    • Target

      CraxsRat v7.6‌‌‌/0Harmony.dll

    • Size

      910KB

    • MD5

      3952f05b0982abbbb9ea953db836b3ea

    • SHA1

      a1a72d6ad32261de9d03624032c4fd80fd62e0ca

    • SHA256

      0de0118c8f1d4408de389ca33b46d2ff7778f3a8541b430cae729ec913d899c7

    • SHA512

      1aefb7363ae4d1313bd12b947b0975408f284d37b2cfb0694c8f79795dbf578503cd949167fe654ff6d3c3e4339ae502d933065276cbff0747423ef80703fb2f

    • SSDEEP

      12288:3ePzA5Qa0p+bULobHoMF/8+wtdwArLPnWn:uPbsYMIMgtKArq

    Score
    1/10
    behavioral1behavioral2

    • Target

      CraxsRat v7.6‌‌‌/AntiBypass.dll

    • Size

      713KB

    • MD5

      2a4a33f9d45a5aada45f81e91278afd7

    • SHA1

      7cbf42cbf24219db0c97428a5099ba16cd88a415

    • SHA256

      c4eabfee8166163d5b03661d6af42c50734b39feba45fe54cfff7b315570d4d0

    • SHA512

      d6bf8eddaf83c2b5ce2d1a3e5a1666de22a370d468ecc9f0ef49b3e5e12eeabdb44315c71984135a24e9b53cd77b214d613aa00ce7cfeead5b6afb6d50a0e3c6

    • SSDEEP

      12288:RqKd5JFifKBFtgzbBky8fI5nRYZsHaBEyFot2wAp+Nrda7ESLqlF3YeYsSSFvO:lgKBFt2ORfIfdHaBEyFoBAerkAr6PfS5

    Score
    1/10
    behavioral3behavioral4

    • Target

      CraxsRat v7.6‌‌‌/CraxsRat v7.6‌‌‌.exe

    • Size

      65.1MB

    • MD5

      272f7334e633d81757417aca3f7b9890

    • SHA1

      290030d91d98910ee5674e0efd2c2af055a2c3da

    • SHA256

      9c7b489b5139074e2fa6088e042a13eecaf781f0b7ff6d62c244159dc39c1f8c

    • SHA512

      2540812d4870140805741eb46fd8059a53958bcc84878e5059046687633f59a85b67137ac5c40e07624046c2f7289506f700d4fd2c181b1f69f2738661f2e46c

    • SSDEEP

      1572864:jmwRxPP7VydDyyFwjXsw8r8yosihxNcfDEvpTUWE8prCiSY:KwRxX8dyyFcsbohYfsprE8pHSY

    Score
    10/10
    xwormagilenetdiscoveryevasionexecutionratthemidatrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      CraxsRat v7.6‌‌‌/DrakeUI.Framework.dll

    • Size

      1.6MB

    • MD5

      1e4e2d630d18d367ef05dba74a76facf

    • SHA1

      baa3899f89eacd09c7e98fb75c5e125f68fcb10a

    • SHA256

      57d39903577cd9f6d275a8c0847d021e6fdf5e7870a3876c657094f4939bacf1

    • SHA512

      2c45252d8254af908fbbb0a6f2a216498be5c3b0e3ed647e58d3795576e7448b2135efffa7937b0d6f8a53b5235b99fe6672c37e07109fa68e09bae6e8936a6b

    • SSDEEP

      24576:wgt+ixt5DG/4k81lExBeU1u9FgjqWSqUA6wz+3GRjTka3ZsacYwzhmT5LOMobxqN:pCRUA6wzS1YwzhmVSMoNqFFPo4

    Score
    1/10
    behavioral7behavioral8

    • Target

      CraxsRat v7.6‌‌‌/GeoIPCitys.dll

    • Size

      191KB

    • MD5

      c070f2421851420e832e4f5989a775a2

    • SHA1

      d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46

    • SHA256

      d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131

    • SHA512

      75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e

    • SSDEEP

      3072:87IcHKc0TwY4O6BlLiJxTmd9h1+fJ5uJnjpUoh/ht21hYvpMaoySJHPc8E:8dHV0Tn4pox6d9G4k

    Score
    1/10
    behavioral10behavioral9

    • Target

      CraxsRat v7.6‌‌‌/LiveCharts.MAPS.dll

    • Size

      53KB

    • MD5

      dfee15e4c6efa37e6645d8b47c8581e0

    • SHA1

      876140e0855fcd15bfb590431fb7b280d1db4a21

    • SHA256

      5b8a9a04f454a2c4da5989fa454a0138d3e5c40712816600f90111b7bf045c40

    • SHA512

      4d0e7b0a5642b649c04e54d89e707ec00e79a0fa282eac19b6097b819652045c3e157763b5b2922a4c2252b0877059ef90eb60038280dbfbef9502f421d739df

    • SSDEEP

      768:r4gOx89xKERw2U11HI+bZO603JLw8MOrNNLSW5/5xTcb2y1ehVHp:rPKB22HIwwFNuC5N6n+VHp

    Score
    1/10
    behavioral11behavioral12

    • Target

      CraxsRat v7.6‌‌‌/LiveCharts.WinForms.dll

    • Size

      19KB

    • MD5

      76c775d09b24798f6923452e920979b5

    • SHA1

      3fe2c79512a0d1153fb07f6640b27106c90d333e

    • SHA256

      a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad

    • SHA512

      eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9

    • SSDEEP

      384:F5gNA4m0NkdPbJfGZLifwdNqF8vLvTjzHEhZFUPOxFBVGquJpQ76RqMm:F5gNnrNklJfGZLiAw27jrEhZFyYMm

    Score
    1/10
    behavioral13behavioral14

    • Target

      CraxsRat v7.6‌‌‌/LiveCharts.Wpf.dll

    • Size

      212KB

    • MD5

      e924f79f0b5f3e79c98477d75831813d

    • SHA1

      64f71e20e1953b13c771d8a8e63549ad6d64216e

    • SHA256

      1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b

    • SHA512

      063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1

    • SSDEEP

      6144:d/vd0eaDQcUc0GkiTV3bkACA3AloBtefVt+aA2xgKPo1zlW1w:vaErjGkiTV3bkACA3AloBtefVt+aAGBF

    Score
    1/10
    behavioral15behavioral16

    • Target

      CraxsRat v7.6‌‌‌/LiveCharts.dll

    • Size

      148KB

    • MD5

      9642899636959b7fc89bf34a8b998a90

    • SHA1

      479a0254d1c9e5565c7d861bb77f54b7eae50c96

    • SHA256

      9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca

    • SHA512

      435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2

    • SSDEEP

      3072:saegvMNVoz3Vlw6/R3z3MV1IdJJGVKWHC2KdxFFT9lzo:VFJlwYMVWY65z

    Score
    1/10
    behavioral17behavioral18

    • Target

      CraxsRat v7.6‌‌‌/NAudio.dll

    • Size

      498KB

    • MD5

      6ca17abccae3050f391401b2955f9333

    • SHA1

      0975b039a793accb58130d6639262cd291d80d5d

    • SHA256

      3ad5d09b4c8c3146d15955a564a9f1a57d7c795b189a25c6f722a738d95ef89c

    • SHA512

      c08f366aae9baf0e7762f47a2f79d0dee5187a1d7631e5838590b7c12911bdeb6247e0ff860ade36e04f1d6717f919ad98df6d3a1a556bff4b8994db9616ccec

    • SSDEEP

      12288:MnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6C:K8lrT+r5ADakP4i9gs

    Score
    1/10
    behavioral19behavioral20

    • Target

      CraxsRat v7.6‌‌‌/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    behavioral21behavioral22

    • Target

      CraxsRat v7.6‌‌‌/System.IO.Compression.ZipFile.dll

    • Size

      24KB

    • MD5

      dcda916372128f13ada8b07026c1b3e7

    • SHA1

      99d6c187de8510206a93d2eed9c65e65e0c86e72

    • SHA256

      b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a

    • SHA512

      d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9

    • SSDEEP

      384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa

    Score
    1/10
    behavioral23behavioral24

    • Target

      CraxsRat v7.6‌‌‌/Telegram Channel.lnk

    • Size

      1KB

    • MD5

      4e0880288ad4607823df224723cd5c3c

    • SHA1

      ca7a9cbbb1c5a2af44102a45c578b4e10601873e

    • SHA256

      aeede2993a3dd6053b6bcb19fe3ad1fbb9b69fc54b5aef79ef58b279f558346f

    • SHA512

      85d82b3be13368dd254fc967793813b4eb6c4b89bd21bebb27f68cf12d06dc1ae6335ec113650c30d8e6904f54163f7bc78746b1505b7494d9e220bd7d7e2d91

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral25behavioral26

    • Target

      CraxsRat v7.6‌‌‌/VeryReal.Framework.dll

    • Size

      217KB

    • MD5

      90b2ce096fb8a8074db87c447c8fece0

    • SHA1

      cd18c48f5a35a59d580a90de24bbfce302a4c39e

    • SHA256

      3982cfb65ba487cec756b2a339f3bed97d60bf49004dc5da75c250a8fda09fff

    • SHA512

      1f27ecc8efae565db6161219ec829cca876f16723fe6ae6f020f03ed727273c1d959d6170146208f431960f617c1ad0864ead419a9f656f120c22960f0f1e5b1

    • SSDEEP

      3072:fjfdR6Nj5WGCXlDrau0wH3L2qU4Cofc1xUwBThngFG3DL0avPyltTJzPmqxZo:fj/4t+lDr9DU9o8aolgFYvmTJDj

    Score
    1/10
    behavioral27behavioral28

    • Target

      CraxsRat v7.6‌‌‌/WinMM.Net.dll

    • Size

      43KB

    • MD5

      d4b80052c7b4093e10ce1f40ce74f707

    • SHA1

      2494a38f1c0d3a0aa9b31cf0650337cacc655697

    • SHA256

      59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46

    • SHA512

      3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

    • SSDEEP

      768:LyasDzF2TDSemqD9tGI+ffwj2Au0LVpqmf7KxcOOrYCPTxqPb85:LyaXKemqD9tGI+ffwj2Au0LVpq4KWrlv

    Score
    1/10
    behavioral29behavioral30

    • Target

      CraxsRat v7.6‌‌‌/craxs.dll

    • Size

      16.5MB

    • MD5

      280b3bdeb28c8ee420dd3fa3bb584003

    • SHA1

      cc078b738652764b4db599fee57f9037885d1afc

    • SHA256

      051bf7f50082e8a098fb262d835a72064fe95ed3646d92bad19e1ce7dce9a468

    • SHA512

      c65be54d919056e45a8026649409b3ef240fb1d8483d8a0cfc9d16e123207f7a5b092a86b18440420344ef026b8a46af74f8906957c2db9c3926b756803fd524

    • SSDEEP

      393216:rQnXyQiCN/upEgF/UPBv0pDm/AkKmfQRT6E/+4L8SfwsV3wz0Ryq:MXyQNN/4lFYv0peBQZ6yHLGsVp

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

agilenetneshta
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

xwormagilenetdiscoveryevasionexecutionratthemidatrojan
Score
10/10

behavioral6

xwormagilenetdiscoveryevasionexecutionratthemidatrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
7/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10