Extracted

• • Target

    Solara roblox.exe

  • Size

    102KB

  • MD5

    ce28d82fa8e4dbbd72cae1bf8d4930e1

  • SHA1

    0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f

  • SHA256

    d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2

  • SHA512

    ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e

  • SSDEEP

    3072:Eb1Z3z4aicVw+NUbUq5dikO3WGWlxUJ1lbE812:Eb1ldC+UbUSdiIdnUJfEm

  Score

  10^/10

  stormkittyumbralxwormexecutionpersistenceratspywarestealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1