Extracted

• • Target

    $RVULAPD.exe

  • Size

    93KB

  • MD5

    7865912339245d7e4970eb1a27fabc2c

  • SHA1

    dd584c401e2b21296d4f3167cf070024c71f640c

  • SHA256

    bcd98496e76c128871952de7d7daa0b8930b0430d6553e77ce72508ff418bb19

  • SHA512

    1d688a0ee969695f765794b8f864078c68a4ded7ab6a081e19d5040530bef210d989df772068d9f5291ac9093ac4cc73341e0582fca0a69435f1fe3d7f33504d

  • SSDEEP

    1536:aYP0rsKtfimtQz5/Ae2G6WE0OsaTbWQw7T+fxSG6RsaSSuOLygpNw1PbVy:1P0rs4zyz54e2LF/TbWQw6xSiaSpOLyU

  Score

  10^/10

  xenarmorxwormcollectionpasswordpersistenceratrecoveryspywarestealertrojanupxevasion

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2