Extracted

Extracted

• • Target

    05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe

  • Size

    282KB

  • MD5

    4ce2c0836c46c61b588972b56a23d5e2

  • SHA1

    939a9f983870df1913acce63ca408bba9789588f

  • SHA256

    05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3

  • SHA512

    7b32f30b61ca8dcd9ae897d4d9e0480d8e0e2e5ae43f5f56f393d6a0dce7fa79e501c3d3609fcd288624c817401aa7f53c5f2fcdd7dda78d32c5034519d7256e

  • SSDEEP

    6144:+sxanyfX5k7JlJDlABKUtfU/WQcb5sDqaxw3fWHdJytaaDlNiJ:f0nyfXuIBDtfu3qaxzHdJytlM

  Score

  10^/10

  redlinesectopratxwormwinscdiscoveryexecutioninfostealerratspywarestealertrojan

  • Detect Xworm Payload

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral1behavioral2