Extracted

• • Target

    danger-multi-tool-main/src/main.py

  • Size

    13KB

  • MD5

    c48f27c10efb969ac31147a787860fb9

  • SHA1

    611c119923825407e300cc86ec258669b0224ebd

  • SHA256

    984c5a8704a16386a31fb31f903da7c24a7b67c224906be88039ea15ead84286

  • SHA512

    fd23d04786f93d5e2440912b71d83df15b100e2bd286e68e32cfb7ce23eb9f346c531fe822fc953c1eccbaf6395b63acc7697851ebc608834e5852a15056141c

  • SSDEEP

    384:MG87mbbEB8IXCa7bujRs8pWS+QinACIBadXGxuapdBeYyil4TKl17+Ryf3urqpMG:MG+mba8IXCa7bujRs8pWS+QinACIBad+

  Score

  3^/10
  behavioral1

• • Target

    danger-multi-tool-main/src/utils/__pycache__/cpython-311.pyc

  • Size

    7.4MB

  • MD5

    1a2ff293768d10b8c99d3cd2950164b9

  • SHA1

    e9123a3d2a53b5f8d008db9608037dd0571f3cae

  • SHA256

    3c09a37412bf3981e5d678b6598c2cdad32fcd6761fc649a50693ba45746e242

  • SHA512

    ff8a853675431bc36d88288546d7f467f239ae2e4e7ef019476ac4ca06f715e88f201753d7201dbfacb3b6dca51be764036372de8a8c0def29e00ae5e9469941

  • SSDEEP

    98304:FWeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTfHfyk6LK4dSI23o7yc:FPYmOshoKMuIkhVastRL5Di3tO/ys42O

  Score

  10^/10

  collectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealerupx

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Enumerates processes with tasklist

    discovery

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral2

• • Target

    danger-multi-tool-main/start.bat

  • Size

    30KB

  • MD5

    7ba955995f65ce6b05a74ee4515749cb

  • SHA1

    2710d30d8077a3c72cd819fbe7cc8b52188b57db

  • SHA256

    eaf6f1b53d2b7e04b7a1250ccae7fa440fef762b243b58de3fad89d797143cc7

  • SHA512

    6d4b7be5872b6762e922c925e9566d3751ad0bf5f745f00462c6c6c5e98bacc14e2bd16ef379bcf4d75167aeb088571efe957279d3b330e864ef439e743da2ac

  • SSDEEP

    48:9gros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:9gO4dI8ihXf

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral3