Extracted

• • Target

    Setup.exe

  • Size

    136KB

  • MD5

    2490778321cefd83508ba9786b66c217

  • SHA1

    aa968d4fed3451a2fff03208e2815a5f342db167

  • SHA256

    989c54ab290e147aba6de1e542eb71cdbc50179dffc190ca46031ce8f18a6c8b

  • SHA512

    b5f46764e5d4ddb9eeb783f96356eabc9c5590abf36ee4554fd3bf1118220a9d24d78ef8d1187fa69505b0dc857606c81d2ce852ae74a59a883742ad551e5553

  • SSDEEP

    3072:cpOFIFK9WFOM3Bz65/M6If+3Js+3JFkKeTni:co0K9YxBt25

  Score

  10^/10

  neshtastormkittyxwormbootkitevasionpersistenceratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Neshta payload

  • Detect Xworm Payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Disables RegEdit via registry modification

    evasion

  • Sets file execution options in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral1