umbral

General

Target

AkrienPremiumCrack.zip
Size

312KB
Sample

240710-pprkfaxhkk
MD5

431e487b11513783fbec3858169b6041
SHA1

d52b846d43015d219bab3d96f62809b0ceed7cfd
SHA256

471eeb9eeca3a3fb5bc949d95ddc7a29a8910a10b7567e725fc212c86c616b10
SHA512

a8709c23eb53afaf5af8731a8bd0673c4e7a66b09240386c9d2a87e125c3ea744357dd5df80b47e67d3e93d87d95067edd3b3fc0601ff1377b475f552ad059ff
SSDEEP

6144:g6r0R7lHL1q4r+hFDnDXuzXhS4P3T1QHTR/00Cu4DKcts8zaQOsk:pIhZY4r+zDezXDmTR/tb4+cO0aQQ

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1260567168722927636/JRzdu6AXLXMoNg-RGz_uMt-M0S5cWTX1XgHtoE2eyWa2C43rIIU36wAR5byWxaul4pBP

Extracted

Family

xworm

C2

connection-elect.gl.at.ply.gg:37777

Attributes

Install_directory
%AppData%
install_file
Crack.exe

Targets

- Target
  
  AkrienPremiumCrack.zip
- Size
  
  312KB
- MD5
  
  431e487b11513783fbec3858169b6041
- SHA1
  
  d52b846d43015d219bab3d96f62809b0ceed7cfd
- SHA256
  
  471eeb9eeca3a3fb5bc949d95ddc7a29a8910a10b7567e725fc212c86c616b10
- SHA512
  
  a8709c23eb53afaf5af8731a8bd0673c4e7a66b09240386c9d2a87e125c3ea744357dd5df80b47e67d3e93d87d95067edd3b3fc0601ff1377b475f552ad059ff
- SSDEEP
  
  6144:g6r0R7lHL1q4r+hFDnDXuzXhS4P3T1QHTR/00Cu4DKcts8zaQOsk:pIhZY4r+zDezXDmTR/tb4+cO0aQQ
Score

4^/10
behavioral1
- Target
  
  AkrienPremium.exe
- Size
  
  229KB
- MD5
  
  049427153333cbb91ce24e1c36b4d911
- SHA1
  
  583d712848e1f88af5692c745d6c8c2e54e07824
- SHA256
  
  b05886d5d5e49aba42b56f7f2e9095a8a3229b9dd0404667fa4be80e6f750984
- SHA512
  
  d4ed952c5ddc341da364b8db4a534b6e867bd9bb3b7702bd762ee8118086bceb58bdf475c269f032d9a7042d4f12f122c6954b5d3c3ef161b283af1ecd2d6640
- SSDEEP
  
  6144:9loZMvrIkd8g+EtXHkv/iD4Qh3YEXN2eR3ENfKK/u3b8e1mYC5HCi:foZIL+EP8q3YEXN2eR3ENfKK/ofIX
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  Crack.exe
- Size
  
  83KB
- MD5
  
  fafdca52fa2f2e543c82157ab5bd3abe
- SHA1
  
  66b2fa2d9b1e58a67723fe98c08352f1668ea561
- SHA256
  
  fdd41c041dd827148ad8a15c521255c017f1977522a90ef4e94fb898c2a04477
- SHA512
  
  28869228921b62f13a1975a75f9956909024fd5e59ff1a61152a38feb0cfcb128d76c4a6477b8b8701073e8faa0343612b2cdb94f24fd0ff73f04f98a4a7e561
- SSDEEP
  
  1536:TOgd9x9J64t5dY63G6IPLh0i6a+bai0bqkTkF6UoBnO0cXSeUd:/9J5uEOh6a+baNOkTkQnOXHy
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral3