General

  • Target

    LastActivityView.exe

  • Size

    89KB

  • Sample

    240506-3kw61sbe22

  • MD5

    499e35df562563babfff6a1d2ee71743

  • SHA1

    7bece5115d9df1fa43b6a7a69f9574a498388960

  • SHA256

    6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

  • SHA512

    2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

  • SSDEEP

    1536:XQol2xVvTS+KaYKvHUxErb2PPSUF2Q06yG2OklzG2OrSBR27KmhDWP:XQvVqaZsqrbeafQUmklzG2OrUyKdP

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/R8gFU5SX:123456789

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

  • pastebin_url

    https://pastebin.com/raw/R8gFU5SX

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1237145706423123999/BQqwyjXaKt7KqCLA_iWguAde2fiNgpA36IvFL69WoxRB6yoYhMjlc7o80Exvew2DFX8M

Targets

    • Target

      LastActivityView.exe

    • Size

      89KB

    • MD5

      499e35df562563babfff6a1d2ee71743

    • SHA1

      7bece5115d9df1fa43b6a7a69f9574a498388960

    • SHA256

      6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

    • SHA512

      2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

    • SSDEEP

      1536:XQol2xVvTS+KaYKvHUxErb2PPSUF2Q06yG2OklzG2OrSBR27KmhDWP:XQvVqaZsqrbeafQUmklzG2OrUyKdP

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks