Extracted

• • Target

    AutoBuy.exe

  • Size

    2.8MB

  • MD5

    ec3328cb44fb4e760b5cdef7bbbcd6f6

  • SHA1

    d93d74a1200418ec041d4206513d511da870eaec

  • SHA256

    ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907

  • SHA512

    e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01

  • SSDEEP

    49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI

  Score

  10^/10

  phemedronexmrigevasionexecutionminerpersistencespywarestealerupx

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1