Extracted

• • Target

    sdafsdf.exe

  • Size

    62KB

  • MD5

    5797a6b20156f0a2980d1065da29c0bf

  • SHA1

    0ef27e2a5fdf026647861d7a621dfa3724b11a7b

  • SHA256

    87d91a5a226ba8b4fc71b6056c6bd5517e658a063ed592ad7b8d0c2023bea832

  • SHA512

    43860b663a748e01655ea35aa490148ce2b2e2ed68f65afa6ce5dd35e0f71f9196d6208efd854b70da2c0430212392340eb5cfd12ef60ca411c92fa5998af9a0

  • SSDEEP

    1536:kZpWzfo/gqlER4c+HEbsEgrIsHWN6OOJAODK:1zA/gqKR4cRbsZHEOJAkK

  Score

  10^/10

  xwormpersistencerattrojanxenarmorcollectionevasionpasswordrecoveryspywarestealerupx

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • UAC bypass

    evasiontrojan

  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Allows Network login with blank passwords

    Allows local user accounts with blank passwords to access device from the network.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2