General

  • Target

    System.exe

  • Size

    76KB

  • Sample

    240429-azb56sdd6z

  • MD5

    926f40028aab7e451391a2f0a1f19878

  • SHA1

    3154d7a394ab28b112813e1e2da05571d5f73610

  • SHA256

    c9616db331e3194dce2010d0ee4be7525b83e5761dad9af507035e9a3ef89a8e

  • SHA512

    ed7ef5b89abfe6dfe68e7c365ae4a5925a57e3a470f64714a6614f1ca80746e70ef73bbb2fef56d8ee3123c4066acc5678c7dc629995f42178a65d53cf3ac18f

  • SSDEEP

    1536:eryUJOfxZ+3NZuLtK4q5KKI+bsjI3Bb9J6rJMtOGGL8LnV:Qyk9YxaXI+bsUgSOGGL8bV

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:51984

distribution-devoted.gl.at.ply.gg:51984

Attributes
  • Install_directory

    %Public%

  • install_file

    System.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1234290044433465374/GpPW-XGmfNZwg5e2f01EG2PFFPvogLtW7nThGaKgRHlCFk37428m1sT_iMF8jegOqr27

Targets

    • Target

      System.exe

    • Size

      76KB

    • MD5

      926f40028aab7e451391a2f0a1f19878

    • SHA1

      3154d7a394ab28b112813e1e2da05571d5f73610

    • SHA256

      c9616db331e3194dce2010d0ee4be7525b83e5761dad9af507035e9a3ef89a8e

    • SHA512

      ed7ef5b89abfe6dfe68e7c365ae4a5925a57e3a470f64714a6614f1ca80746e70ef73bbb2fef56d8ee3123c4066acc5678c7dc629995f42178a65d53cf3ac18f

    • SSDEEP

      1536:eryUJOfxZ+3NZuLtK4q5KKI+bsjI3Bb9J6rJMtOGGL8LnV:Qyk9YxaXI+bsUgSOGGL8bV

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks