umbral | 879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f | Triage

Submit
Reports

Overview

overview

Static

static

3

conta_injector.exe

windows7-x64

conta_injector.exe

windows10-2004-x64

Sharing

General

Target

conta_injector.exe
Size

2.6MB
Sample

231220-vcm95sgbdr
MD5

136572773a0b95e37f25ee732cd20564
SHA1

d5aa4913be0eb1a47fe95cdec0f398992b1066e9
SHA256

879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f
SHA512

872c0dc675516b91d8ea43094532c749789753d631979070163c5b71adc088dd2e33393879658e0a361de3fc4f5ed1bd150ebc8658b558abfc46ccc7c8cee0ef
SSDEEP

49152:RP5mffPrD+IndQgKAr5ozxzu6LAH3zu292AXR3jzLzvX:RP5mvrD+ClNo9ztLA

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

conta_injector.exe

Resource

win7-20231215-en

umbral xworm persistence rat spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

conta_injector.exe

Resource

win10v2004-20231215-en

umbral xworm persistence rat spyware stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
InvidiaDriver.exe

Targets

- Target
  
  conta_injector.exe
- Size
  
  2.6MB
- MD5
  
  136572773a0b95e37f25ee732cd20564
- SHA1
  
  d5aa4913be0eb1a47fe95cdec0f398992b1066e9
- SHA256
  
  879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f
- SHA512
  
  872c0dc675516b91d8ea43094532c749789753d631979070163c5b71adc088dd2e33393879658e0a361de3fc4f5ed1bd150ebc8658b558abfc46ccc7c8cee0ef
- SSDEEP
  
  49152:RP5mffPrD+IndQgKAr5ozxzu6LAH3zu292AXR3jzLzvX:RP5mvrD+ClNo9ztLA
Score

10^/10

umbral xworm persistence rat spyware stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralxwormpersistenceratspywarestealertrojan

behavioral2

umbralxwormpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy