General
-
Target
Luxury Shield 7.1.zip
-
Size
10.1MB
-
Sample
230426-mdd4vsgf74
-
MD5
07d98b07c257eb1532f80c72f643edee
-
SHA1
2c5d530de83fd11c60c8d18099fc39ba322ca197
-
SHA256
79d731ef75cebcd139ee36573f72e103e0d13eccdb60aaa7393fca8966e9eef7
-
SHA512
572e253dcf88cb4c142e8f7f8c2272bd7afcc3daf200d8a54a1b3d3c3795aea787e1a7c8c54191576e49e2bf7c186415e4dc1b34dae10bdecdc3635d63bfadf2
-
SSDEEP
196608:nN5Lqm6L7yjyK7nM4TyW0olrgFCV8080JmwFwXp7ADWysN/l53CLU9R:N9KyjfM4VUCJ8rwFq7JysNv9R
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Shield 7.1/ILMerge.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Luxury Shield 7.1/ILMerge.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Luxury Shield 7.1/Luxury Shield 7.1.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Luxury Shield 7.1/Luxury Shield 7.1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Luxury Shield 7.1/Pass to use.txt
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Luxury Shield 7.1/Pass to use.txt
Resource
win10v2004-20230220-en
Malware Config
Extracted
xworm
ekinox.myftp.biz:3080
-
install_file
USB.exe
Targets
-
-
Target
Luxury Shield 7.1/ILMerge.exe
-
Size
912KB
-
MD5
35a3dc21f6e0ed6a8423f7455a379f9c
-
SHA1
631b3d76f02b386e0bac33fa8a0cb464cef984be
-
SHA256
4a0dac9d63c87b726285cbcab13757db23acb82f29f4bd4806a26997ce11f5f4
-
SHA512
3abea20d1e5d6083faca67901488d9ce318a4f9929afb1b223a9dcff4fa440408928183aa712e6d0d25dbcea603da31eae09a481641a6bcde9e8eda95e336cfb
-
SSDEEP
12288:X0zOaLOF4xKbTQ+ZyoMyixinEcD2B7I3x6cDjGCErg1oh:X7dLM9inTxtRa
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Luxury Shield 7.1/Luxury Shield 7.1.exe
-
Size
10.4MB
-
MD5
7da08bb44a74d40e588cd8a0200c4917
-
SHA1
1362eec3dd846d5f99d39e1a8add8e8965447a64
-
SHA256
7b70dfbab96df3d99b9b5922ad0baeaa3fd6b16774a3e11d783fa67c379368e8
-
SHA512
d09525c8968390ddcbd81c77c41d58bed992510e14ba6ef1533795c3b4b94c14bca403dd1707b56798e10a89583c2afdc27b910a6b4ce62d0e38fd2b18cb18c7
-
SSDEEP
196608:YRue0PF8bumHRuyNI+GYpDchQLUGY2xwwxY7pP+mqxMOjakDsYZ:8C8bPgy7MQ7YLwxmP+9xMOWusY
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Luxury Shield 7.1/Pass to use.txt
-
Size
199B
-
MD5
e64fa2857632e555cc98d354f727e6b9
-
SHA1
30a66b75db03413d1f092100088163715f9ca9c1
-
SHA256
95733b0af4d654870f40c2a2bd64a2f980a4ea377a088599e519238f666a69a0
-
SHA512
73f942f9f26ca2d641e308828efa940ee19a87c9ce5d9072cb2896a98d1809289e99feffad26fe40e8c597bc120b9a56840e133f7430bace7b23e7e969918c1c
Score1/10 -