General
-
Target
FataliyCrack (Crack).rar
-
Size
2.7MB
-
Sample
250121-a9xvmaxqhp
-
MD5
aaca7720f9b71f038a365c927b6e3da6
-
SHA1
e67b449a9bab51a2c407ebeff48651e329da1298
-
SHA256
722416d5d03bb6f124099c32f51332b07e02ed9da1f38b55259ffcbbaf06b247
-
SHA512
b36d02132768662974d94fe31744e03dda88fed380048ebeefe73e788b5a77e97fd4edbcf9b04ab97d2aa431433f7320277d14d5deddf4135378b4924e32fc77
-
SSDEEP
49152:hdEHpLZRMMdAZqjOLSliYATU0OwfWBRE/7Me+LOQyI1cyDG8mw9Ta4O:hWJNWMHOLSliYA4Ci2+Vy3yK8hW4O
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
FatalityLoader.exe
-
pastebin_url
https://pastebin.com/raw/mercTNMT
Targets
-
-
Target
FataliyCrack/FatalityLoader.exe
-
Size
321KB
-
MD5
280153c108845d84c90190e3c89fb306
-
SHA1
13dd14c250698a61b71d848f1ca3cdcdbdfd9585
-
SHA256
d918b4970b02b073eb3fd038397f40b2ffa43189205bc2c94d463dab32e00316
-
SHA512
ff4fc6721cdd62a9d30b0cc502e6696dcca93864717528d94ab0b9426ac01a7dd9272e8d43cfd2a4fb6348438e2c68564216068f1608bcb364179ed68fc79818
-
SSDEEP
3072:J8YRi/F+rMmtgU2b8SWLOmteSQvWzSBp:J8LF+zt92bzqhgWz
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1