Extracted

• • Target

    LUKZICHEAT3DAY.exe

  • Size

    20.3MB

  • MD5

    69d03c7e2b083db3e8cccad7c2a74a53

  • SHA1

    7bad6b251222991bb5b91bf688ee9d2a4d57db0b

  • SHA256

    4ce6de7deccb1a06aa6a77ed6efca36fa9bf9dd9a83fa390b011cbba6dc61fc1

  • SHA512

    192befdb4d19881848c4b3d560363e828fc579859bcc8db9d84836c0adfeec05205660114129bc897ed13129a81878b74e06a70657f4b7a1fb8f3e560cbc679f

  • SSDEEP

    393216:gUHyrS/7hf6ETSBHwD3xAk/yzmAhy7M3WzkQYFKyOkgoPY25a5Xt8eox7F1GYVAw:gUHyUhf9TWexVPAhy7MWk5ngiY2MJoxJ

  Score

  10^/10

  executionpyinstallerumbralxwormdefense_evasiondiscoverypersistenceratstealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    defense_evasiontrojan

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2