Extracted

• • Target

    danger.siski

  • Size

    17.3MB

  • MD5

    7aff5c8e1a98cda8d462565511a5bc2d

  • SHA1

    4703377360e523fae14e0c09aa1a05af040ccc91

  • SHA256

    a90ca15d3c601ae18f82601cfa311ff92405877087ff5566b365799ba05466eb

  • SHA512

    bbbc8ccbc6a2fcea0949c4a27ac935310c4b6c8175521c4db0753c0e440c8d9eb58c99996f0bb5d42e02bbd4c6b4f21530abe43add04d58e89f35471f1db909f

  • SSDEEP

    393216:7eYCTfyWo1HwlNwakK/Aze071Sxs9PHPN4s+Fhh1:bCDyWEHs3kv7Iy9Pe/

  Score

  10^/10

  lucastealerxwormevasionpersistenceratstealerthemidatrojan

  • Detect Xworm Payload

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

    stealerlucastealer

  • Luca Stealer payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1