Extracted

• • Target

    Lunar Release V1.2.exe

  • Size

    26.8MB

  • MD5

    7eae1354932dcc6f0db4a6b6d0f00971

  • SHA1

    61f122ed38c93d36c08ffbfde8418580edb4a44c

  • SHA256

    dce4f486acb10ec17770782fada8e7696d454727912a2889ebfbf466c9bbb60e

  • SHA512

    606c5f2c1a781728577d4d175409e266e738f610529877a0ef0529e2627778a1b1814069acbf74b1da14f88a51da1c84cce4697b0b00c49c45ef16dc3537e9e5

  • SSDEEP

    786432:aJTiZQH7iiQ3w+n9tlPLKEjp4YRX+8aHDB:aViZm7iiQ3w+n9tlPLKEjp4Y1+Zt

  Score

  10^/10

  stormkittyxmrigxwormevasionexecutionminerpersistenceratspywarestealertrojanupx

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Stops running service(s)

    evasionexecution

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1