Overview

overview

10

Static

static

10

Nursultan Leake1d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nursultan Leake1d.exe

  • Size

    423KB

  • Sample

    240224-vacevsgg56

  • MD5

    56b7bf9fd3324fcad106b4951fdb51da

  • SHA1

    f15da91511d34268fc24d86184d56b73e9d22f0a

  • SHA256

    be29b8bd644e04309f5becd26ee65e3138b50f44090767003b16fd02f428d451

  • SHA512

    7a29b4493f7736b1b001cc540568c7bae9a5b604e0ecfa185ffd675053d39014797f37fb74815e10e7891a006a65f076c1a871a2ed715c182c3250d465222092

  • SSDEEP

    6144:QzUbeFpDxUC6eVy9QetdHZwJvJMxhnel93mdQoCX:Q5/yIVjAFZwJxEh

Score
10/10
umbralxwormpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

C2

content-royal.gl.at.ply.gg:35017

Attributes
  • Install_directory

    %AppData%

  • install_file

    conhost.exe

Targets

    • Target

      Nursultan Leake1d.exe

    • Size

      423KB

    • MD5

      56b7bf9fd3324fcad106b4951fdb51da

    • SHA1

      f15da91511d34268fc24d86184d56b73e9d22f0a

    • SHA256

      be29b8bd644e04309f5becd26ee65e3138b50f44090767003b16fd02f428d451

    • SHA512

      7a29b4493f7736b1b001cc540568c7bae9a5b604e0ecfa185ffd675053d39014797f37fb74815e10e7891a006a65f076c1a871a2ed715c182c3250d465222092

    • SSDEEP

      6144:QzUbeFpDxUC6eVy9QetdHZwJvJMxhnel93mdQoCX:Q5/yIVjAFZwJxEh

    Score
    10/10
    umbralxwormpersistenceratstealertrojan

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks