General

  • Target

    64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe

  • Size

    7.7MB

  • Sample

    240711-tmzv9awgkf

  • MD5

    6ca08efccb785d2b8c23c54a05930356

  • SHA1

    c4de56535545a5a6555af998b2b3fbb254637625

  • SHA256

    64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed

  • SHA512

    8da14f29989d5c99b0335be45951e4e87dccabefccae73a8e5cf13d91e6d47fcf1408b9020a965015b15175239f6d732d8cd4b6b11e07b232386827984b77b14

  • SSDEEP

    196608:p9xmKlBELQL73HTSddEVnvbG3eVvMJxOf2X6QDpTrTMA:Yf03QdEc3eJMJxOf25VT3D

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1255561908631900262/FBfFOJC5RNZ6gSVwbGsinrWT1Tk0AcX2fxXrs9EMYvCvgKrDx5R4TOUhy9LGN7mz_JKs

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

147.185.221.20:49236

Mutex

6a8a3b6e5450a823d542e748a454aa4c

Attributes
  • reg_key

    6a8a3b6e5450a823d542e748a454aa4c

  • splitter

    |'|'|

Targets

    • Target

      64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe

    • Size

      7.7MB

    • MD5

      6ca08efccb785d2b8c23c54a05930356

    • SHA1

      c4de56535545a5a6555af998b2b3fbb254637625

    • SHA256

      64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed

    • SHA512

      8da14f29989d5c99b0335be45951e4e87dccabefccae73a8e5cf13d91e6d47fcf1408b9020a965015b15175239f6d732d8cd4b6b11e07b232386827984b77b14

    • SSDEEP

      196608:p9xmKlBELQL73HTSddEVnvbG3eVvMJxOf2X6QDpTrTMA:Yf03QdEc3eJMJxOf25VT3D

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks