Extracted

• • Target

    Request for Invoice to Process Payment.exe

  • Size

    1.8MB

  • MD5

    6f1ead21aa70a3e69cd5c69595fc7916

  • SHA1

    5feacb3a236a1e2a981540aca03fc6ab16d2aa76

  • SHA256

    36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7

  • SHA512

    800dc490d482582859ce6a1be834c5a13b501489329eab592fcc67f128462aa8424c9f5f5ec351124b9df660a1e8044786ce6b488ee34fdd0bf37fe9f2d224d5

  • SSDEEP

    24576:95tC5kWkHIVTl45p3aLpZsEFj8z2NJMW1O1EmSSTCSHkbe:9W7OQpZsEFBNsEmw

  Score

  10^/10

  modiloaderdiscoverytrojanstormkittyxwormexecutionratspywarestealer

  • Detect Xworm Payload

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • ModiLoader Second Stage

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2