umbral

General

Target

CODE STEALER.exe
Size

7.3MB
Sample

240813-pssxnsybrk
MD5

1d07c9e8178116ebbb44fc17d1d759a6
SHA1

5581b932910066fad920a8e1349dd139c04fe36f
SHA256

2f62506fbd6dbca8a941cbf5632305aef1508f0b95e89a281d5c5ab0298381a8
SHA512

7d9c2bd01434e817812fa3fb64c0ee2a8603fc2bd6757d991d21acfef693b0ea74c6afb904c5c1ccaa88c27f828a24f32e7de0056bcac1dbf462a353b833d526
SSDEEP

98304:ansmtk2awfcMGnSt8JDkfcMGnStVsCBbKZYzsH/ErMDu8yrnj7S9N9A474uwWaVE:ULkW8JDlWKsWZgkIo74j7yzEZhaZLV

Score

10^/10

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1271910498107129856/6QtgJK8NkWoaobhUacej3NEYw3eYaasAKEEehxN04UR57cdaVkLvywYwnoPhZkUSYxdW

Targets

- Target
  
  CODE STEALER.exe
- Size
  
  7.3MB
- MD5
  
  1d07c9e8178116ebbb44fc17d1d759a6
- SHA1
  
  5581b932910066fad920a8e1349dd139c04fe36f
- SHA256
  
  2f62506fbd6dbca8a941cbf5632305aef1508f0b95e89a281d5c5ab0298381a8
- SHA512
  
  7d9c2bd01434e817812fa3fb64c0ee2a8603fc2bd6757d991d21acfef693b0ea74c6afb904c5c1ccaa88c27f828a24f32e7de0056bcac1dbf462a353b833d526
- SSDEEP
  
  98304:ansmtk2awfcMGnSt8JDkfcMGnStVsCBbKZYzsH/ErMDu8yrnj7S9N9A474uwWaVE:ULkW8JDlWKsWZgkIo74j7yzEZhaZLV
Score

10^/10

umbral xred backdoor defense_evasion discovery execution persistence stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1