Extracted

• • Target

    LoaderAlkadRustCheat.exe

  • Size

    64.1MB

  • MD5

    73ffcfac6161cd6c7a8b1d001a0aaaf4

  • SHA1

    be16bed3401bd838c4b85a47ae184d4a08a28fe3

  • SHA256

    aebdb5d4472f019df13190b233c6dd89050b7f473c0828c97c16f060e458b573

  • SHA512

    5d5677aeab8bdb9d908a7dafbd7424912cc3f28a2e90d2b39929aec8153a87820f67d13389c6d8cb2e2661735df74d1b7c4f27812e871555717f3922b195e4ca

  • SSDEEP

    786432:8yrqMu/IZ53ufBoglmM/zxhkAw7BwNLmf7CfuBqFiKKL+XNnwlHAsdwelhFVWQuO:NIWtgf7sAEZ7CHSi5s1DCQ6XEeO

  Score

  10^/10

  umbralxmrigexecutionminerstealerpersistencespyware

  • Detect Umbral payload

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2