Resubmissions

26/03/2025, 17:15

250326-vsy2ksy1cy 10

26/03/2025, 13:00

250326-p8xwkavzc1 10

26/03/2025, 12:53

250326-p4qlpaxkz6 10

26/03/2025, 12:50

250326-p3esssxkx7 10

General

  • Target

    AxoCheat.exe

  • Size

    10KB

  • Sample

    250326-p3esssxkx7

  • MD5

    0d84b857213666d2946cd162f32d28d0

  • SHA1

    856e6f634ae15e27550cbfb1210a313174a2deff

  • SHA256

    297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5

  • SHA512

    7e42b0f5d9089417ce51384642dad234885465d490ee36e05ac43d9e8ab7b4bdc701cc7e57c03da37edf9683590e992a51b0baba61e91f325012e53a77b4df8f

  • SSDEEP

    192:d950dmo9JSL75DuLzozbBLVbL/LaTSK0euttj+exz:d950dmo9JSL4LEzbvbL/LiSjeu7j+ex

Malware Config

Extracted

Family

xworm

C2

89.39.121.169:9000

Attributes
  • Install_directory

    %AppData%

  • install_file

    RunShell.exe

Targets

    • Target

      AxoCheat.exe

    • Size

      10KB

    • MD5

      0d84b857213666d2946cd162f32d28d0

    • SHA1

      856e6f634ae15e27550cbfb1210a313174a2deff

    • SHA256

      297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5

    • SHA512

      7e42b0f5d9089417ce51384642dad234885465d490ee36e05ac43d9e8ab7b4bdc701cc7e57c03da37edf9683590e992a51b0baba61e91f325012e53a77b4df8f

    • SSDEEP

      192:d950dmo9JSL75DuLzozbBLVbL/LaTSK0euttj+exz:d950dmo9JSL4LEzbvbL/LiSjeu7j+ex

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks