General
-
Target
AxoCheat.exe
-
Size
10KB
-
Sample
250326-vsy2ksy1cy
-
MD5
0d84b857213666d2946cd162f32d28d0
-
SHA1
856e6f634ae15e27550cbfb1210a313174a2deff
-
SHA256
297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5
-
SHA512
7e42b0f5d9089417ce51384642dad234885465d490ee36e05ac43d9e8ab7b4bdc701cc7e57c03da37edf9683590e992a51b0baba61e91f325012e53a77b4df8f
-
SSDEEP
192:d950dmo9JSL75DuLzozbBLVbL/LaTSK0euttj+exz:d950dmo9JSL4LEzbvbL/LiSjeu7j+ex
Static task
static1
Behavioral task
behavioral1
Sample
AxoCheat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AxoCheat.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
xworm
89.39.121.169:9000
-
Install_directory
%AppData%
-
install_file
RunShell.exe
Targets
-
-
Target
AxoCheat.exe
-
Size
10KB
-
MD5
0d84b857213666d2946cd162f32d28d0
-
SHA1
856e6f634ae15e27550cbfb1210a313174a2deff
-
SHA256
297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5
-
SHA512
7e42b0f5d9089417ce51384642dad234885465d490ee36e05ac43d9e8ab7b4bdc701cc7e57c03da37edf9683590e992a51b0baba61e91f325012e53a77b4df8f
-
SSDEEP
192:d950dmo9JSL75DuLzozbBLVbL/LaTSK0euttj+exz:d950dmo9JSL4LEzbvbL/LiSjeu7j+ex
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload
-
StormKitty payload
-
Stormkitty family
-
Xworm family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1