Extracted

• • Target

    DiscordNukerV1.0.exe

  • Size

    14.8MB

  • MD5

    38df4465ac1c0b796df23a8c607a1d5b

  • SHA1

    d1434d1f559deb702590a6c978b6e7d38e2a7767

  • SHA256

    18b4e3d6eca1a5812222f2c4d1c86b68cb929fda16108242fef13a4f097f877f

  • SHA512

    2af234bd6e438e30e8056e0b6fc4aedc651fcd6fa123b0688a02dd5af2d48aa5395e004d9ebc334743febab204dc3f10cb1c3f63f7102c9b9d9b7b7ef7f71bae

  • SSDEEP

    196608:RQapTQTpurvvybvz5U0+tfSl5GNxc54hSOCFWYv3b6qDdc9pm7+4Sf9nCoUm4vvT:RQpuTybvCdpkGNXSOr+0ipc

  Score

  10^/10

  stormkittyxwormdiscoveryexecutionpersistencepyinstallerratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2