General

  • Target

    Solara roblox.exe

  • Size

    102KB

  • Sample

    240709-n8vwjavdph

  • MD5

    ce28d82fa8e4dbbd72cae1bf8d4930e1

  • SHA1

    0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f

  • SHA256

    d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2

  • SHA512

    ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e

  • SSDEEP

    3072:Eb1Z3z4aicVw+NUbUq5dikO3WGWlxUJ1lbE812:Eb1ldC+UbUSdiIdnUJfEm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:62559

19.ip.gl.ply.gg:62559

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1260178339398684763/vrimjbksRiAdnQJhpf4RiMhDKhDPxfoJKYZ-ILxv3PIxTVVzEhCZeqgCy8f3wVpGOLPx

Targets

    • Target

      Solara roblox.exe

    • Size

      102KB

    • MD5

      ce28d82fa8e4dbbd72cae1bf8d4930e1

    • SHA1

      0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f

    • SHA256

      d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2

    • SHA512

      ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e

    • SSDEEP

      3072:Eb1Z3z4aicVw+NUbUq5dikO3WGWlxUJ1lbE812:Eb1ldC+UbUSdiIdnUJfEm

    • Detect Umbral payload

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks