umbral

General

Target

RC7.zip
Size

10.4MB
Sample

231205-ktxvssae26
MD5

f013b378cda7df27b3520b8a1aa167c6
SHA1

e29e120ae735ef89057bd6f285daf0b467239e65
SHA256

c2896e90b50b14aa6ad8d39f7d828f92e963f6b756e8cb2d075046913e497a81
SHA512

55c6b21e13cf645c8d2aab8e8a27bd55e591b41460bb88e75659cdb040a9fa13178b5f66f48af7941886844981ab5b3fce2f8412d232af6475ad85159dae920f
SSDEEP

196608:bzvW907ZvRLSuNhkYtvNl5oENhkYt4a61QKAmtphMa7k/vg:bLW275lPh5hN8Qh5B61QCp2m

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

owner-cc.gl.at.ply.gg:32281

Attributes

Install_directory
%AppData%
install_file
WindowsSoundSystem.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1181010758201520208/iCxvWqp_69ofS-eHs5naW1_4vBzPxLSr9zIR5Bso1e4orm8yDICPrre5CTF60DCywY_3

https://discord.com/api/webhooks/1179573880306806895/9PPafRuKqunRXMBgRp7lwh-lO7PV6gpu6bih39np__mk8ZAghkJ95dBDKUvofe3l-iRe

Targets

- Target
  
  RC7_UI.exe
- Size
  
  830KB
- MD5
  
  44be1d272c2f2d32bbc71db7a246982c
- SHA1
  
  76c42f9f187a9570775af1d611f04da0765036d2
- SHA256
  
  f78e4ed7297aefb1e8c50b976907fda03f20069f9d3958497e260a69ef4ac47b
- SHA512
  
  b5417d9c187fbf5abea667531da3381384ba407d2aeb458e4021acf1115fd72f6fec22a30672880fb6581d1db853f2cfae30bd8a85eff7420979d1c2ff52d93f
- SSDEEP
  
  6144:jBku01IJVLfsOIJVLfss8XnXwtQ/c72IkoxkDtSP4EIJVLfscz:Vk8VLfwVLfiBVLfVz
Score

10^/10

umbral xworm rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Umbral payload

Detect Xworm Payload

Xworm

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2