Extracted

• • Target

    Vapev41.exe

  • Size

    36.0MB

  • MD5

    feb087808958828564c3f63115056652

  • SHA1

    aa7da658d1720bb04c4f48bd48c96c2b203007b6

  • SHA256

    7db2f1b8447c7724e0b312fb2a9cc177807d72d44cec68e12aef49b3990b1c29

  • SHA512

    82e2ee2059895539b7407f5f16cd8dc278cfa334e7774e819544e0f5cd00002910a1dfd745a89c6a22dd683d04fe2ac45f82587fdb11d1efddb1c6bff2855ea5

  • SSDEEP

    786432:s8AkL7W5cIaalagScIwxMSLu2gTLXVsSibQpOXD/4VxZrJczq:s8AkLA5xScILSLu2qVcbQpOXsnzc

  Score

  10^/10

  xmrigxwormevasionminerpersistencerattrojanupxdiscoveryspywarestealer

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Drops file in Drivers directory

  • Stops running service(s)

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2