Extracted

Extracted

• • Target

    EXMservice.exe

  • Size

    12.0MB

  • MD5

    f189114f5f8504a1aeb97a90e71ea429

  • SHA1

    a2d029f042000b7e3ec175e1e365d9bf20396092

  • SHA256

    31709442f1ff903433dec01461829a0c05b62f0e7cab81f2efcd1a0b0845d748

  • SHA512

    5f939df2c5bc1f3c4f5b1fd835a7ab882d49fed5c5ebd7a41deba37b3f7ba423d194ccaad39aa3032d9454570d8863bdb93cca9c99ee12cf64dbc478b2dfcbbb

  • SSDEEP

    6144:pcBqNKm+UQqA9uAXTNpWKc9SNweSuRQjbvmpFETPMK3nYpbLYhZ+:pkCKm+UQqAP7WKc9SNavmpOTZ3WuM

  Score

  10^/10

  asyncratstormkittyxwormdefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Async RAT payload

    rat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2