Extracted

• • Target

    CY2jVj7cNu8l.exe

  • Size

    61.6MB

  • MD5

    49e5af4b381070bfd8c6e5e17b06fe8d

  • SHA1

    103a82cd6a8eda1334516b19ac704e026a35fc3d

  • SHA256

    dcdfba770a5dd66fba128b96ada44e35ae13325e52d3909b03817e6636b4a57b

  • SHA512

    50d176eafb0834f1185e211cfd0a2f72e9fef138dccb68eed06cd1c70cff73405e4cb8f1d976458143ab8b7f38157aac5e35b6576b2fdcd72e3190597a6cb7de

  • SSDEEP

    1572864:B3mOA8SEJXql1coJh4V7LtXIgoku+arRazxMSNlcDplj:BWOA81tDoEV7Lx9oku3VfSEDpl

  Score

  10^/10

  umbralxmrigxwormcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationratspywarestealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1