Extracted

• • Target

    XD.exe

  • Size

    1.3MB

  • MD5

    de88420914cbcf761884bd1200161f31

  • SHA1

    8bb65894f0e5aac2e488ae32fe0cb6ef842a8536

  • SHA256

    db1568502ee09a65ba3b07b3aab4bcf62dbc6fdd51e196fb3a3048aab4a0e3c9

  • SHA512

    c9d44fc8e8cacd756c251f40d8a7092a37dcccd3d8d5b9060de2a4931bed91a01f88eb13d4f7b7ab2df28753f603057398877cc05bbb1fbd3aa2d1d93803541d

  • SSDEEP

    24576:Kx13NKqahG5xQrr2cIb93ckRhx73NKqahG5xQrr2h85a2Qj8Nl/M1Meso:aNKqaY5urr2cINckRLNKqaY5urr2yK8t

  Score

  10^/10

  neshtaramnitxwormbankerevasionpersistenceratspywarestealertrojanupxworm

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Neshta payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1