Extracted

• • Target

    Vape.exe

  • Size

    8.4MB

  • MD5

    8afb546a821068f344d5e5481d57fd6a

  • SHA1

    907c78ae51a9bef3612538c1205cb1458b591df6

  • SHA256

    9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03

  • SHA512

    2c4123ada410cfb647f4e32039216e14f06ebdec910471ce9d9ae674191dbc96f915f0c8798672ba640d4a3ce9d176a5139f479c96d4bcde59dea9317a17438e

  • SSDEEP

    196608:8okYHMUWsVqYGAwEFD8bJrxv8pL6x/rFdiX4virXL:KYHRWsVsAwEGbJrxIG1v84vir7

  Score

  10^/10

  xwormevasionpersistenceransomwareratspywarestealertrojanupx

  • Detect Xworm Payload

  • Modifies WinLogon for persistence

    persistence

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Modifies AppInit DLL entries

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2