Extracted

Extracted

• • Target

    87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

  • Size

    3.0MB

  • MD5

    6850a8c541b310a2f4a5cd88352856a3

  • SHA1

    372ff19e90cec46e37797b343fe6f537116b4aae

  • SHA256

    87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

  • SHA512

    924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa

  • SSDEEP

    49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

  Score

  10^/10

  umbralxmrigxwormevasionexecutionminerpersistenceratspywarestealertrojanupx

  • Detect Umbral payload

  • Detect Xworm Payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Detects Windows executables referencing non-Windows User-Agents

  • Detects executables attemping to enumerate video devices using WMI

  • Detects executables containing possible sandbox analysis VM names

  • Detects executables containing possible sandbox analysis VM usernames

  • Detects executables containing possible sandbox system UUIDs

  • Detects executables packed with unregistered version of .NET Reactor

  • UPX dump on OEP (original entry point)

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Stops running service(s)

    evasionexecution

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2