Extracted

• • Target

    LPO_2400320057.pdf.exe

  • Size

    1.8MB

  • MD5

    ad1de3461d1a1ca1e1308b470189e33e

  • SHA1

    4f31564e88f4dbef9de32921e3ce3e7577fd1025

  • SHA256

    2663813a533d2a48f9eaf8eda1b3536578377faf3008da63035fb050cb8370e3

  • SHA512

    e80da0a03b8c9b86cb59c37e9a9867a8ea21ec4bc0aa3e5c571cd80434f6c4a2b5d04dcf770d5eac098d121a6cf832eae623a73be0f9970e3417affb304d0b49

  • SSDEEP

    24576:95tC5kWkHIVTl45p3aLpZso9Tz+hGu2Wq:9W7OQpZsiOAus

  Score

  10^/10

  modiloaderdiscoverytrojanstormkittyxwormexecutionratspywarestealer

  • Detect Xworm Payload

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • ModiLoader Second Stage

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2