umbral | c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6 | Triage

Submit
Reports

Overview

overview

Static

static

3

Loader.exe

windows11-21h2-x64

Sharing

General

Target

Loader.exe
Size

139KB
Sample

240516-hq44lahd45
MD5

8f77f8b13b914f358059e3f7b9ddab70
SHA1

d406a28486b4dd881c454e526e149b98c0ec8462
SHA256

c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512

b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
SSDEEP

3072:bNmWFIDmBFlT1wnCMjIM8pec/dAnXQdnbeFa7cMjGvA/v2QmZ6OGmfx7jHJm:b06BwnRlcCXUhcdv2uN5

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Loader.exe

Resource

win11-20240426-en

umbral xworm execution persistence rat spyware stealer trojan

windows11-21h2-x64

22 signatures

300 seconds

Malware Config

Extracted

Family

xworm

C2

answer-riverside.gl.at.ply.gg:45691

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Targets

- Target
  
  Loader.exe
- Size
  
  139KB
- MD5
  
  8f77f8b13b914f358059e3f7b9ddab70
- SHA1
  
  d406a28486b4dd881c454e526e149b98c0ec8462
- SHA256
  
  c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
- SHA512
  
  b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
- SSDEEP
  
  3072:bNmWFIDmBFlT1wnCMjIM8pec/dAnXQdnbeFa7cMjGvA/v2QmZ6OGmfx7jHJm:b06BwnRlcCXUhcdv2uN5
Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

umbralxwormexecutionpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy