General
-
Target
Result.exe
-
Size
422KB
-
Sample
240427-stmc3adb9t
-
MD5
d4a25a5c3c21cb009ce03b1679f792f1
-
SHA1
58c1759d4f82240d90cc9c5fb4a9f2f6d7dbc6a4
-
SHA256
c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6
-
SHA512
4feee7be209d0a7d6f7e005005af8a49f578c12dee9941f743513ac065e5b89e2e3ca3cbea2288d3150ceb0f8b782665429a7dcc046be93bcd109deaddb24d95
-
SSDEEP
12288:YoZRL+EP8DDUgoOJBiLHaIJtMQIL/57qDYHN:8I8HUgoOJBiLHaIJtMQK7N
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%AppData%
-
install_file
Client.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Extracted
njrat
0.7d
Paxankor
hakim32.ddns.net:2000
phentermine-partial.gl.at.ply.gg:36969
9e134de821c32c6ed483f39ec83528df
-
reg_key
9e134de821c32c6ed483f39ec83528df
-
splitter
|'|'|
Targets
-
-
Target
Result.exe
-
Size
422KB
-
MD5
d4a25a5c3c21cb009ce03b1679f792f1
-
SHA1
58c1759d4f82240d90cc9c5fb4a9f2f6d7dbc6a4
-
SHA256
c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6
-
SHA512
4feee7be209d0a7d6f7e005005af8a49f578c12dee9941f743513ac065e5b89e2e3ca3cbea2288d3150ceb0f8b782665429a7dcc046be93bcd109deaddb24d95
-
SSDEEP
12288:YoZRL+EP8DDUgoOJBiLHaIJtMQIL/57qDYHN:8I8HUgoOJBiLHaIJtMQK7N
-
Detect Umbral payload
-
Detect Xworm Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1