General
-
Target
Rust_Kfg (4).rar
-
Size
218KB
-
Sample
240826-wcdalsyanm
-
MD5
24e5ebcc022f0735f35737a8dc358b75
-
SHA1
b820dbecbbcb565365557a9d16aed97622816f8b
-
SHA256
5792e2d18bf6bb75708a630b4bd2d5bd56992dac49aef6e37ce194d7229346a0
-
SHA512
8de8b3fa6b7e30e5a38778a9c547109d9562179f9e3b610a25af62d10dba6511fcbc87cc4de963f0a807bef9372f1cc2525071b8203061f3ea8bfa6a4fc572ac
-
SSDEEP
6144:/a/EIYhHdteaYHJxzEKOKE5myFELElV+bczVnK:/KYBHQJxz9OVsLElV+r
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1276982380623822909/-ZYqYnZeoG8yutLtDD9buwOWh8z-ENLfgSoEesmu5LYvfPnRgh3KuZ2RXTmQ_aGzc_7m
Extracted
xworm
127.0.0.1:59668
21.ip.gl.ply.gg:59668
-
Install_directory
%AppData%
Extracted
44caliber
https://discord.com/api/webhooks/1276982380623822909/-ZYqYnZeoG8yutLtDD9buwOWh8z-ENLfgSoEesmu5LYvfPnRgh3KuZ2RXTmQ_aGzc_7m
Targets
-
-
Target
Rust_Kfg (4).rar
-
Size
218KB
-
MD5
24e5ebcc022f0735f35737a8dc358b75
-
SHA1
b820dbecbbcb565365557a9d16aed97622816f8b
-
SHA256
5792e2d18bf6bb75708a630b4bd2d5bd56992dac49aef6e37ce194d7229346a0
-
SHA512
8de8b3fa6b7e30e5a38778a9c547109d9562179f9e3b610a25af62d10dba6511fcbc87cc4de963f0a807bef9372f1cc2525071b8203061f3ea8bfa6a4fc572ac
-
SSDEEP
6144:/a/EIYhHdteaYHJxzEKOKE5myFELElV+bczVnK:/KYBHQJxz9OVsLElV+r
Score10/10-
44Caliber
An open source infostealer written in C#.
-
Detect Umbral payload
-
Detect Xworm Payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2