General

  • Target

    Result.exe

  • Size

    422KB

  • Sample

    240427-stmc3adb9t

  • MD5

    d4a25a5c3c21cb009ce03b1679f792f1

  • SHA1

    58c1759d4f82240d90cc9c5fb4a9f2f6d7dbc6a4

  • SHA256

    c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6

  • SHA512

    4feee7be209d0a7d6f7e005005af8a49f578c12dee9941f743513ac065e5b89e2e3ca3cbea2288d3150ceb0f8b782665429a7dcc046be93bcd109deaddb24d95

  • SSDEEP

    12288:YoZRL+EP8DDUgoOJBiLHaIJtMQIL/57qDYHN:8I8HUgoOJBiLHaIJtMQK7N

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Extracted

Family

njrat

Version

0.7d

Botnet

Paxankor

C2

hakim32.ddns.net:2000

phentermine-partial.gl.at.ply.gg:36969

Mutex

9e134de821c32c6ed483f39ec83528df

Attributes
  • reg_key

    9e134de821c32c6ed483f39ec83528df

  • splitter

    |'|'|

Targets

    • Target

      Result.exe

    • Size

      422KB

    • MD5

      d4a25a5c3c21cb009ce03b1679f792f1

    • SHA1

      58c1759d4f82240d90cc9c5fb4a9f2f6d7dbc6a4

    • SHA256

      c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6

    • SHA512

      4feee7be209d0a7d6f7e005005af8a49f578c12dee9941f743513ac065e5b89e2e3ca3cbea2288d3150ceb0f8b782665429a7dcc046be93bcd109deaddb24d95

    • SSDEEP

      12288:YoZRL+EP8DDUgoOJBiLHaIJtMQIL/57qDYHN:8I8HUgoOJBiLHaIJtMQK7N

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks