Extracted

Extracted

• • Target

    IO tootls.exe

  • Size

    209KB

  • MD5

    841d1c344cc00671b25a80e6db3b1e06

  • SHA1

    1952391bfc777b4cd2acc403d895dd7e198aa013

  • SHA256

    932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766

  • SHA512

    75af1637e76c307c6241a4ac26859a9260c2198d2aa83e5a6c52e0ec6bb37fac4cecf4f002f05d861356f833fc306869682e3195c0e6ba603e8ebf4b9a98f96e

  • SSDEEP

    6144:v5DmisKDLvohc1Y3o40bbwhpn8+jPmqSQj33zO9Y:xXLDor440y8oPmZW

  Score

  10^/10

  umbralxwormpersistenceratspywarestealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3behavioral4behavioral5