darkvision | 7d104083d0598fe421a7ba0d2ab9f10a1da8666a87266ab949c0b0cdf386da4b

General

Target

Wallet_Crackerinfected.zip
Size

768KB
Sample

241203-hx598szrgk
MD5

bdb9582ced92dd1147098f2e007225c0
SHA1

53a5f2faa7491b85530a2b51490308732aa797d2
SHA256

7d104083d0598fe421a7ba0d2ab9f10a1da8666a87266ab949c0b0cdf386da4b
SHA512

41d6ba0c82e75568ac55728d0a8f06b6c4d3d73e360845176d6f8824f7057e71ea580b9f200db1e1c1c4062da4342ff4f5480d308872134dcddd8679cf367f40
SSDEEP

12288:1m1sY0lKbZnft77JowFHmoESN+I2PML1Zl9YzWf+/SMIsgqiUy5VVkNy:OsY0IZftfJoQHbAbPMxZvYc+G2xyD

Score

10^/10

Malware Config

Extracted

Family

darkvision

C2

45.200.148.238

Extracted

Family

xworm

C2

127.0.0.1:7777

45.200.148.238:7777

Attributes

Install_directory
%Userprofile%
install_file
XClient.exe

Targets

- Target
  
  Wallet_Cracker/Cracker/Tool.EXE
- Size
  
  467KB
- MD5
  
  3776c874ccea3a179734328530202aee
- SHA1
  
  0bc215ae2ad2a870782b80a312ec4e178c7e9286
- SHA256
  
  3acaccf9aeb24eec602857fc3884b482cbf06b0ab2133397244319b103ec989d
- SHA512
  
  05a1a0fb2d19c5328aaa0d3d2b116302fa14bf60464ac3005034e62b8d8db2186aed7a820ce07c6d3f57a42965bc6584258ff223cd5a84856d342c6bbe1df198
- SSDEEP
  
  6144:gMdVKz+LuaBM4/1qrbbYTsHYU6Aez8HVWIrJMA9:hLXqrH+R+T
Score

10^/10

darkvision persistence rat
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Deletes itself
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Wallet_Cracker/Cracker/hook.dll
- Size
  
  1.5MB
- MD5
  
  e5f1805ae5f385e2d1065ce69c703b64
- SHA1
  
  9ed846eba6e9ddfa326dfb00babf543730f4e844
- SHA256
  
  a7166117cc3623fc4e33d58f47675e1f3870cc8be6b931e723be80c59cf66dc9
- SHA512
  
  aa5c3731f47e4c95f6de94eb0abed6d2566084e904ee98cb48933129d4556af934ce6e647fe60ec8c61e79c3dcc23dba8bb22468cc5ea409b0a4634b02e304b3
- SSDEEP
  
  24576:bvg5S6MuWa0QCq5EPSzygp2Mm4ok9ZYabtvsvNPs0v/7wMM/p5k1V+cHfZ:bvg5S6MmCq5CSzNp2Mm4ok3YWrUE/pdQ
Score

1^/10
behavioral3 behavioral4
- Target
  
  Wallet_Cracker/Setup/Setup.exe
- Size
  
  164KB
- MD5
  
  49bce6a66a0120329a165a14f0a98c28
- SHA1
  
  a0271522e0e368e32dac2883a7b8dd7cfdd719fe
- SHA256
  
  b77fa081d473eb46039e3edadc4ff86f2b80cb29266d4de240a8d56fcccec696
- SHA512
  
  cc4b5f946474064fe0ddd0ff13899ff77a0c631c2d044ab255576dba624a5c1e101ac6f42aef64da376bf829c4979f3cdf91e7e5a3ed40fa74b5dae718fff966
- SSDEEP
  
  3072:qNIAXlLCiiu6EabEvJuOu3/gBz65/M6If+3Js+3JFkKeTno:qFCiiuhabgJ+YxBt25
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6