Extracted

• • Target

    lacks.py.exe

  • Size

    44KB

  • MD5

    c5b1a6040033863fd8bfdd5228e18f52

  • SHA1

    e5d722229b5763e1696c0050c03c1bb3e10a985d

  • SHA256

    fcbd4dea80c08ac6b4a9900063cd99e09d0d0ebd8c1f3121aaccfa0633a40dcc

  • SHA512

    bb8e5e1828fa63ee0180977bd3b2c3eac913545d39f275ae4fdcc8edeabd5b24bfbce6fd66e766b7def9c514f12c5ca7ee4c277d300beba60488733df725f265

  • SSDEEP

    768:c0yUbkms0JqxXAsvf1f3okU2jCp/J7X+F+R9pPb6vOChzbWL6f:c0/bkt0JqhAmfR5U2jG/FOF09Rb6vOCh

  Score

  10^/10

  stormkittyxwormcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    evasion

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Enumerates processes with tasklist

    discovery

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1