General

  • Target

    rootkit.exe

  • Size

    274KB

  • Sample

    240709-blql3s1crg

  • MD5

    87119ce97d460721e8c6cb98f990c780

  • SHA1

    eac69d7550546b7812eb5701e82e079ff780d93a

  • SHA256

    f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

  • SHA512

    fce0177ad8df7622692919ff8493a9194b806774ca8508a4d28414d75e400bdf26b41818f12ad61a15a0860611d0d978d74660b970b9738c3d2b651e25290fcb

  • SSDEEP

    6144:WZL665pSvWs4dNwLIdh+JR5d3fFbeT8UumB2p3H1s93LZG9B:WlKWtnvKR51fy8VZKTo

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:49403

quotes-suites.gl.at.ply:49403

quotes-suites.gl.at.ply.gg:49403

Mutex

25nhnSSJeo8OHnH7

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1259895160632905769/Nt8uggl0mEBvysXT-BFIchzGoOqiC8hi2bWhb_ujCX5_THJiU5kiutfTRZpNtRkHK8Jq

Targets

    • Target

      rootkit.exe

    • Size

      274KB

    • MD5

      87119ce97d460721e8c6cb98f990c780

    • SHA1

      eac69d7550546b7812eb5701e82e079ff780d93a

    • SHA256

      f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

    • SHA512

      fce0177ad8df7622692919ff8493a9194b806774ca8508a4d28414d75e400bdf26b41818f12ad61a15a0860611d0d978d74660b970b9738c3d2b651e25290fcb

    • SSDEEP

      6144:WZL665pSvWs4dNwLIdh+JR5d3fFbeT8UumB2p3H1s93LZG9B:WlKWtnvKR51fy8VZKTo

    • Detect Umbral payload

    • Detect Xworm Payload

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks