umbral | 2fad8bf4e40ac2f1b7da870bb8e4c228bec5c52a875aadf347e71a9cba30d6bc | Triage

Submit
Reports

Overview

overview

Static

static

3

Files To Use.exe

windows7-x64

Files To Use.exe

windows10-2004-x64

Sharing

General

Target

Files To Use.exe
Size

493KB
Sample

240208-bkkpfacbb2
MD5

d110ec96448664160f10da4abd78152f
SHA1

128cdfec7390922d3c643717149f81f4af277cd1
SHA256

2fad8bf4e40ac2f1b7da870bb8e4c228bec5c52a875aadf347e71a9cba30d6bc
SHA512

e99ca079cb44b89e331693c975438f88efda629d7fd898535c511078ca82e07be3faa71bcf31e0657f428556990860f0879d76e23c89f4d9be91f8655cb0734f
SSDEEP

12288:PBdlwHRn+WlYV+9VeD09yIzj8ftZJIF+dHO:PBkVdlYATeDOyuj8VwFUHO

Score

10^/10

umbral xworm persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Files To Use.exe

Resource

win7-20231215-en

umbral xworm persistence rat stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Files To Use.exe

Resource

win10v2004-20231215-en

umbral xworm persistence rat stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

fhfgthfghfg-34660.portmap.host:34660

Attributes

Install_directory
%Userprofile%
install_file
Runtime Broker.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1204944287041847307/aoa_S28cr8V4g11xswAZC9SdvRJS8ygczDK-GfItmMFXCcL2edroJI5lraSE-OISlf6d

Targets

- Target
  
  Files To Use.exe
- Size
  
  493KB
- MD5
  
  d110ec96448664160f10da4abd78152f
- SHA1
  
  128cdfec7390922d3c643717149f81f4af277cd1
- SHA256
  
  2fad8bf4e40ac2f1b7da870bb8e4c228bec5c52a875aadf347e71a9cba30d6bc
- SHA512
  
  e99ca079cb44b89e331693c975438f88efda629d7fd898535c511078ca82e07be3faa71bcf31e0657f428556990860f0879d76e23c89f4d9be91f8655cb0734f
- SSDEEP
  
  12288:PBdlwHRn+WlYV+9VeD09yIzj8ftZJIF+dHO:PBkVdlYATeDOyuj8VwFUHO
Score

10^/10

umbral xworm persistence rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

umbralxwormpersistenceratstealertrojan

behavioral2

umbralxwormpersistenceratstealertrojan

© 2018-2025

Terms | Privacy