umbral | d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18 | Triage

Submit
Reports

Overview

overview

Static

static

Malinovka Install.exe

windows7-x64

Malinovka Install.exe

windows10-2004-x64

Sharing

General

Target

Malinovka Install.exe
Size

319KB
Sample

240427-pbmpbsag6w
MD5

f69924b642ac4b9ef1dfacdfd43759a9
SHA1

95da50564c7cbc3749148419c68a08b0f2869ee1
SHA256

d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
SHA512

2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07
SSDEEP

6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P

Score

10^/10

umbral xworm rat spyware stealer trojan

Static task

static1

5 signatures

Behavioral task

behavioral1

Sample

Malinovka Install.exe

Resource

win7-20240221-en

umbral xworm rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

Malinovka Install.exe

Resource

win10v2004-20240426-en

umbral xworm rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes

Install_directory
%AppData%
install_file
Client.exe
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Targets

- Target
  
  Malinovka Install.exe
- Size
  
  319KB
- MD5
  
  f69924b642ac4b9ef1dfacdfd43759a9
- SHA1
  
  95da50564c7cbc3749148419c68a08b0f2869ee1
- SHA256
  
  d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
- SHA512
  
  2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07
- SSDEEP
  
  6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P
Score

10^/10

umbral xworm rat spyware stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

umbralxwormratspywarestealertrojan

behavioral2

umbralxwormratspywarestealertrojan

© 2018-2024

Terms | Privacy