General
-
Target
CelestialUUpdate.exe
-
Size
1.2MB
-
Sample
241205-h3x6tatqat
-
MD5
8b16db15e2df974f1e2d4d36934d8067
-
SHA1
2392ba431d064fbcdf8812056a0398e28d3985ae
-
SHA256
c9f1853eb63ea24a952a37bb0a5853be5333e94097e0ff3a60474fb022e09ae7
-
SHA512
be01dc9ca1db5dbf6399b7568b9e063adbc617dfc686f74faf648318138c9673e09e97e6922116512d1df56cb5197fb016bfe549c21b6f022493bfcde9150f29
-
SSDEEP
24576:2fFSkjA+SpS/h3UYU2Uq74JZXXKn4VNWF40LrBjcnbPaF/MPqoXj2:2NhfGSJUD2UqGXaHr9cn7PXC
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/vJmE27fr
-
telegram
https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822
Extracted
xworm
3.0
plus-loves.gl.at.ply.gg:59327
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822
Targets
-
-
Target
CelestialUUpdate.exe
-
Size
1.2MB
-
MD5
8b16db15e2df974f1e2d4d36934d8067
-
SHA1
2392ba431d064fbcdf8812056a0398e28d3985ae
-
SHA256
c9f1853eb63ea24a952a37bb0a5853be5333e94097e0ff3a60474fb022e09ae7
-
SHA512
be01dc9ca1db5dbf6399b7568b9e063adbc617dfc686f74faf648318138c9673e09e97e6922116512d1df56cb5197fb016bfe549c21b6f022493bfcde9150f29
-
SSDEEP
24576:2fFSkjA+SpS/h3UYU2Uq74JZXXKn4VNWF40LrBjcnbPaF/MPqoXj2:2NhfGSJUD2UqGXaHr9cn7PXC
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1