General
-
Target
Byte_Guard_Cracked.exe
-
Size
4.3MB
-
Sample
240818-r3zjba1emn
-
MD5
d7936c64138b924d63901cedb2c6cd09
-
SHA1
b525dd212eac4c808b5166880976b1817caf826b
-
SHA256
52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339
-
SHA512
3c2e8b6b1de63baeda4fb714ab3f4104f820cf81d2bbe9d4177631246b7627ac1e76c709a57504ca777dfdbcc74aab95602184a270120f653832f37e4965d3f7
-
SSDEEP
98304:dnsmtk2a2052wnEFsuU8agxdazsYXhDqgAdXt2:BL4n7uB8zpXcnb2
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1271910498107129856/6QtgJK8NkWoaobhUacej3NEYw3eYaasAKEEehxN04UR57cdaVkLvywYwnoPhZkUSYxdW
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
Byte_Guard_Cracked.exe
-
Size
4.3MB
-
MD5
d7936c64138b924d63901cedb2c6cd09
-
SHA1
b525dd212eac4c808b5166880976b1817caf826b
-
SHA256
52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339
-
SHA512
3c2e8b6b1de63baeda4fb714ab3f4104f820cf81d2bbe9d4177631246b7627ac1e76c709a57504ca777dfdbcc74aab95602184a270120f653832f37e4965d3f7
-
SSDEEP
98304:dnsmtk2a2052wnEFsuU8agxdazsYXhDqgAdXt2:BL4n7uB8zpXcnb2
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1