General

  • Target

    Shellbag anylizer.exe

  • Size

    69KB

  • Sample

    240613-1vqe4s1hph

  • MD5

    a498059077fb136b7d57ef6f00dcae46

  • SHA1

    77421f91ed2c1586419128bd4687241050d712cc

  • SHA256

    8f2d3eeab5e5d807acff4be9b7d6b41340f0c8a891baa094543d10e65ccec7f2

  • SHA512

    3bec766aa97ed8b89c8be1c4da89befc5f22217637f72d158753996b2ed74439cf485e7692f4f1fa522d31ceb608c86b9035e9c594fcb147a91edf4547ac14c3

  • SSDEEP

    1536:bS3U8pWjIK2vvt8yAnkEZ6sPvWybW46zaQInA6dylkYcdOisYt2jNsXr:bWfWjXENk6wpbW4B9SSOisYsxer

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/qEVZXv39

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1228033288061583443/fMN2NuuQRV7pkiIZ0PwY980zozE_UYckmNOKmsrzvNf0xKeDmgGvDkNwC07bWCnl3OgB

Targets

    • Target

      Shellbag anylizer.exe

    • Size

      69KB

    • MD5

      a498059077fb136b7d57ef6f00dcae46

    • SHA1

      77421f91ed2c1586419128bd4687241050d712cc

    • SHA256

      8f2d3eeab5e5d807acff4be9b7d6b41340f0c8a891baa094543d10e65ccec7f2

    • SHA512

      3bec766aa97ed8b89c8be1c4da89befc5f22217637f72d158753996b2ed74439cf485e7692f4f1fa522d31ceb608c86b9035e9c594fcb147a91edf4547ac14c3

    • SSDEEP

      1536:bS3U8pWjIK2vvt8yAnkEZ6sPvWybW46zaQInA6dylkYcdOisYt2jNsXr:bWfWjXENk6wpbW4B9SSOisYsxer

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks