Extracted

Extracted

• • Target

    Output.exe

  • Size

    88KB

  • MD5

    1d5de6633597e967fa624860a9c11381

  • SHA1

    d5b718eb8dc6dd145c9a55a0a697a94cf071492d

  • SHA256

    55f04f3aab2ae05b415095b2037ed4fce36c931bdbbd49292f3f3f4e886e5143

  • SHA512

    698c2a4428f3768de63e8dc6681d9947386d17827055b1ec446b609a109bc78a6a5239f66aad60b779e67009242e9b117c7c3fe7a7fa9cac9bfb717e1ca7ab29

  • SSDEEP

    1536:YSH26AQ95RO4BJULzUrx5yNcG/Ny32UkdBCa7NKuV9N3Y9zaZd:lv5ROihN5yrNyG/dQa7NKul3Y9mZd

  Score

  10^/10

  phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

  • Detect Xworm Payload

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1