Extracted

Extracted

Extracted

• • Target

    EXMservice.exe

  • Size

    21.7MB

  • MD5

    f551d9082d5a86776a906984e9cac3b3

  • SHA1

    7f2294fb608e65fb06b844a559dc3e8ec26dff8b

  • SHA256

    40c4fc26947ad84ecbfbeba71c930dc8f7f4dd5ae737c0021a0cdf721a76facf

  • SHA512

    444f10d6468c28bab1920e33544becbc228b9cca6d710e4751bab50cd04baf6fe2c2d499ed578116212e1219a68f55c6cf836a61dd5f576cce8c6fd3fc1afe1d

  • SSDEEP

    393216:xQKf8nAG+bkX7ViesEfcGhCDNz1FNcRQR35DNJ93IPzIYHEKwPs91DQVtUcpBc:OK0AHbuViP6cGhCDdxDRFXePnkM91DQd

  Score

  10^/10

  upxasyncratgurcustormkittyxwormdefaultcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Detect Xworm Payload

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    defense_evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Async RAT payload

    rat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Contacts a large (1157) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Stops running service(s)

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2

• • Target

    main.pyc

  • Size

    758B

  • MD5

    c0b3c66ad1cd0dab72d99c9d371d6c8e

  • SHA1

    f7ef7218af6319c29b94c85b9dd0a25556cd72ba

  • SHA256

    d9f62b1e07b2c27d6226384c9fa08b89dab614b5b679154e864dd9b61d9da4cf

  • SHA512

    d15a6ce37155023f50216623d445e7d6966fde6a2e5b3d9ec5649a410c494fba79cea29afd00e90092175a75bc0a922ab0aad0d4e678151ecc6ebde20b3074e9

  Score

  3^/10
  behavioral3behavioral4