Overview

overview

10

Static

static

3

IO tootls.exe

windows7-x64

10

IO tootls.exe

windows10-1703-x64

10

IO tootls.exe

windows10-2004-x64

10

IO tootls.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IO tootls.exe

  • Size

    207KB

  • Sample

    240225-gnd9qadc62

  • MD5

    5afd3e0ac701a47f48772af3c5eb54d1

  • SHA1

    ac20c5db48d258c9f00845fb3508e90d4f3187ae

  • SHA256

    6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

  • SHA512

    24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b

  • SSDEEP

    6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score
10/10
umbralxwormpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Targets

    • Target

      IO tootls.exe

    • Size

      207KB

    • MD5

      5afd3e0ac701a47f48772af3c5eb54d1

    • SHA1

      ac20c5db48d258c9f00845fb3508e90d4f3187ae

    • SHA256

      6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

    • SHA512

      24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b

    • SSDEEP

      6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

    Score
    10/10
    umbralxwormpersistenceratspywarestealertrojanransomware

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks