Extracted

• • Target

    spoof test.7z

  • Size

    50KB

  • MD5

    2b80931dfec2265ac0357414e27497f4

  • SHA1

    d7bfec86f61e214a8b43fcdcaaf82bda5e88557a

  • SHA256

    9f83ee8c3f2263e2400f1dc667c58520a846d81b12e8d15f62e4dfeba4389b3b

  • SHA512

    cb9443487acf4de4a33deb781ef206533cf5b4095671f08dd2b5607f388a82be8478b4db86b5ceaebb6f1dcd6958cd2d09399a0acea04ecb6d9368fb94cda203

  • SSDEEP

    768:AH1u19IsbaKCa8fll6kehelKR8e1vmrnwJU2O3QLp5OYgtf8aGZqfTn:AVuXIsqaSlRehZRBF+/pip/glOcTn

  Score

  10^/10

  stormkittyxwormdiscoveryevasionexecutionpersistenceprivilege_escalationransomwareratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1