Overview

overview

10

Static

static

1

ToxicProject.rar

windows7-x64

3

ToxicProject.rar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ToxicProject.rar

  • Size

    14.0MB

  • Sample

    240315-1h2bvabg6t

  • MD5

    95bb733df03eaf9a2d455450ee4003e8

  • SHA1

    1d6c18f2ec5501a01cf39faf9230aaa28c6db8f8

  • SHA256

    04068c986e06f0da3def4cc67df86a0ec76f6e324a99e9ebf23687c21645666a

  • SHA512

    c55d16e31b5124fc28d63b49ec6445b6a89623e9e70305156fbc1c7439f4e0e50b0e7c46bf45bb1460609cd999048a868b1e6a4d1c8d101009e8a7134d217b84

  • SSDEEP

    196608:Znw75pSvvDy2bpmAa72xIvRt5snPdFK5Jdr9hj+i4etUqUFc/muT8EgJHZtmi8:ZwCXbi7EIvRmPdFIhjF4eGnuT4DmB

Score
10/10
umbralxwormevasionpersistenceratstealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1218255752314097764/pf1l_fyX4Y944q-tMNsmbSq2cfDBpqCBXuTvF0vyF76tkTcn3FOYasjrq_iM6NffJOYF

Extracted

Family

xworm

C2

approved-supports.gl.at.ply.gg:45098

Attributes
  • Install_directory

    %AppData%

  • install_file

    rat.exe

Targets

    • Target

      ToxicProject.rar

    • Size

      14.0MB

    • MD5

      95bb733df03eaf9a2d455450ee4003e8

    • SHA1

      1d6c18f2ec5501a01cf39faf9230aaa28c6db8f8

    • SHA256

      04068c986e06f0da3def4cc67df86a0ec76f6e324a99e9ebf23687c21645666a

    • SHA512

      c55d16e31b5124fc28d63b49ec6445b6a89623e9e70305156fbc1c7439f4e0e50b0e7c46bf45bb1460609cd999048a868b1e6a4d1c8d101009e8a7134d217b84

    • SSDEEP

      196608:Znw75pSvvDy2bpmAa72xIvRt5snPdFK5Jdr9hj+i4etUqUFc/muT8EgJHZtmi8:ZwCXbi7EIvRmPdFIhjF4eGnuT4DmB

    Score
    10/10
    umbralxwormevasionpersistenceratstealertrojan

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Creates new service(s)

      persistence

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks