Extracted

Extracted

• • Target

    freerobuxkid.exe

  • Size

    603KB

  • MD5

    110661737f95174fa0134da2375920f4

  • SHA1

    3cfb6c3f2ffbd469fdee32b085c33a62ff7e768b

  • SHA256

    7162d3e3ae071703320d478702541eccb82636200dc0e29aa880b93b2766440c

  • SHA512

    342ca30c288cc9eab1f567ab03cf75b1ac10547b046a9e86a21048499af0bfd830d8e82ce93d953d97267c7630202774b4fb1a1ddad038e512a916ad8789f4dd

  • SSDEEP

    6144:SoFNIF/iYvOFUV1aH4P9wOLae6VlWT8b94FfclKwCE8TtrXHiPOib36hlbT00cHu:jsF/LRVMW9wOaPVle8ufyVCfTJw

  Score

  10^/10

  umbralxwormexecutionpersistenceprivilege_escalationratspywarestealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Modifies WinLogon for persistence

    persistence

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Start PowerShell.

    execution

  • Drops file in Drivers directory

  • Event Triggered Execution: AppInit DLLs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1