Extracted

Extracted

Extracted

• • Target

    Maple.sfx.exe

  • Size

    49.9MB

  • MD5

    b6eb7b6c81c32e94112f00a4bd7fbc80

  • SHA1

    328d30384ac99a4b24ebb78fe1ccde41444191a7

  • SHA256

    5db2db5c8a468b925bdf13bb3f11244af1c7dbc86a6f5727b724bf1961c5e5e2

  • SHA512

    94e1d9a2899f7d2a210dc76615923be8475a8f89c9484d56f3ee2c9c28cf75a13051df8dd068835261bcab62e12a4c57bbb41efa0b7783b8b1138b314649f003

  • SSDEEP

    1572864:wOyrjq1zExjMkfCfYFvWExN+ZJupU485C3Kc68:wOscE9Mkfnb1pUTC3P68

  Score

  10^/10

  njratumbralxwormhackeddiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Njrat family

    njrat

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2