Extracted

Extracted

• • Target

    proxy's woofer/HWID Checker.bat

  • Size

    1KB

  • MD5

    b4ed08e55abc091d58a99bfcef1cffa2

  • SHA1

    6bda510a1b877ca337c4653143d5de7316a502ca

  • SHA256

    6351f92bd290ad479d1746f1083fa52bd75df3e7b4046694688ac9b4fd13f803

  • SHA512

    888dd221195599042a1d5c12574137c66099c3610afee268886cdf0fd6568758cb2c06533f8e09c6be1266e0a4f1df3ede861f51e3bfa0dfd15bf57a566fb0a2

  Score

  1^/10
  behavioral1behavioral2

• • Target

    proxy's woofer/Proxy's Spoofer V2.exe

  • Size

    6.0MB

  • MD5

    710df7d1b2f1b2ee6753747d5c04b346

  • SHA1

    294f0da01e406b2f58c132400385cb6f31d1c93e

  • SHA256

    aa8b6bfba812dcd1a85296a313cf859837394b9f917313abba64fa7678a110ed

  • SHA512

    b91a9e3cba368e6d3199f66817ab766e72ccc6556b8ee9abdaa50511e48fdb09ffa57b6548864f3e1b77fcdaeda7c30456aff90375fd3b3ee8267860f0fc2285

  • SSDEEP

    98304:aEv4T1+hACMzMtXqIEO8ODEO4bTFF+LocldaK3//LMAEyHBso06:yTYbUVO8gWF+LDraK37MvJ6

  Score

  10^/10

  asyncratstormkittyxwormproxydefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojanimpactransomware

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Deletes NTFS Change Journal

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Async RAT payload

    rat

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Modifies Windows Firewall

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  behavioral3behavioral4