Extracted

Extracted

• • Target

    Reaper.exe

  • Size

    8.4MB

  • MD5

    caa418507bb991b91bbfa3e52623c2f4

  • SHA1

    9e1083e019ca8813024e1e58eac193d7a83b4b48

  • SHA256

    a8e3cbf1921a2485a307ac0ff2536accc77bc17db386a00e8d67c5537613b321

  • SHA512

    84e57b9c0d88e67c2ebb3ef89df82b33b4d466b663fa1b43dd0c050b140fbc986135169c8840b4d91ed5921379579a85e743cda27184172a7a7eb87156c61684

  • SSDEEP

    196608:SRyi9wysiM2+eLNxHPZe/eAwfPjprt/VU3jZoAp/aOROsEh/cH:SRLSIr+eLDvM9YBNMrQsh

  Score

  10^/10

  asyncratxwormdefaultexecutionpersistenceratspywarestealertrojanupx

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Async RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1