Extracted

Extracted

• • Target

    c22dc50dc2bbe4422c7f68d26ab95eb9.js

  • Size

    92KB

  • MD5

    abbf8daa7bcdaca739f4d3fc4ebae091

  • SHA1

    1706784a398f62b28b178ca471446ed2dbb2aee9

  • SHA256

    a58fe10a096397b8eb9404af4ab8dfe14b1d88ae043f480f93697591ae262626

  • SHA512

    91d0b100ee6f708f4708e7e3ae9a7407c53a3e16f3fb58ea79b15751bf5edb1cfde75184ae0c7e3148ddc0170d9b8ad587cedbc856f10c8f40b2a62e13d56e9e

  • SSDEEP

    1536:JiPdxrC3WtVFyIcQwYJWOlA/Zk0pRZw6lw1rPTf:J+w2WhlprwXpTf

  Score

  10^/10

  xenarmorxwormcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionmotwpasswordpersistencephishingprivilege_escalationratrecoveryspywarestealertrojanupx

  • Detect Xworm Payload

  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Looks for Xen service registry key.

    evasion

  • Sets service image path in registry

    persistence

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook accounts

    collection

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    phishingmotw

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1