Overview

overview

10

Static

static

3

HWID.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HWID.exe

  • Size

    142KB

  • Sample

    231207-2p931aga67

  • MD5

    9d56d51792b9a4374f1d83673d07f30f

  • SHA1

    4fc9c3c5fc06706af8451d895abb392350d5e53b

  • SHA256

    6e9b99bf972b0f87f6c658142f58d2afe0a105108d03653d9e768118c831493f

  • SHA512

    6ab0046f29b0e3af89350ece266efd8c0ab81ee8b5b7c4168e16767a92783d9438f443b52b33964fadb5fd79a71321cefe3a8ecad3c0cb8581e1e885a934f006

  • SSDEEP

    3072:TvJzTugv8nBvQ89ynM8Fg+V0PqCkxY5ki8Q1o7XsUDCD:Thzygv8n9x9W3qJkxY5kfEo7T2

Score
10/10
umbralxwormratstealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1182449804958248970/DRF0ya2e3evg84K0Bvj6KDwl3i7xtSWZ3g0gIs0o-TUVRK-JP1st19-yHi5V8uo23sfe

Extracted

Family

xworm

C2

owner-cc.gl.at.ply.gg:32281

Attributes
  • Install_directory

    %AppData%

  • install_file

    WindowsSoundSystem.exe

Targets

    • Target

      HWID.exe

    • Size

      142KB

    • MD5

      9d56d51792b9a4374f1d83673d07f30f

    • SHA1

      4fc9c3c5fc06706af8451d895abb392350d5e53b

    • SHA256

      6e9b99bf972b0f87f6c658142f58d2afe0a105108d03653d9e768118c831493f

    • SHA512

      6ab0046f29b0e3af89350ece266efd8c0ab81ee8b5b7c4168e16767a92783d9438f443b52b33964fadb5fd79a71321cefe3a8ecad3c0cb8581e1e885a934f006

    • SSDEEP

      3072:TvJzTugv8nBvQ89ynM8Fg+V0PqCkxY5ki8Q1o7XsUDCD:Thzygv8n9x9W3qJkxY5kfEo7T2

    Score
    10/10
    umbralxwormratstealertrojan

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks