Extracted

Extracted

• • Target

    0f674147118b728504faa4e9ee9be1f2.exe

  • Size

    995KB

  • MD5

    0f674147118b728504faa4e9ee9be1f2

  • SHA1

    d1decfde4071500708161329f9e0c29e85fea315

  • SHA256

    f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53

  • SHA512

    584f4b6caf6e12c692fb8a450c98931910a50f89f424adb10f349db3b7b8f8b485dbe8c7f0731f5d8a2e330973385b6d9692822abc398817db8a2c21aef33250

  • SSDEEP

    24576:Cf+6UNxk0J9qt3BGVF+gyToYisepcgq9VB0dEV:CG6U80JAt3BGVF2ksepcnjB0d2

  Score

  10^/10

  redlinesectopratstormkittyxwormhenzcredential_accessdiscoveryexecutioninfostealerratspywarestealertrojan

  • Detect Xworm Payload

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Suspicious use of SetThreadContext

  behavioral1behavioral2