General
-
Target
RustAnticheat.exe
-
Size
1.1MB
-
Sample
240919-px7avszbmk
-
MD5
6d63fe8c87e642d9e380a13803aa6858
-
SHA1
5652877b527da6cec16dfa7e9653d3657fedea8b
-
SHA256
066692a03f240a40c237f5ec3270d27cac1fda40630dd29f40db006b79a542a8
-
SHA512
32ad077db3f44cd184f60a715464a0540615fee76cbb4de20c6a2703b1ef2a74391adfad0e77a4c3b2340f9bafbc18238445f19e7fcebf2c11e76e66376d000d
-
SSDEEP
24576:Ucvup1OydVxYPtGU8ynaQpLUcgs5JTqzCZxGcQVyULZ6U6/:U/1OydfMrgsfX04KZ69/
Static task
static1
Behavioral task
behavioral1
Sample
RustAnticheat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RustAnticheat.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
RustAnticheat.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
RustAnticheat.exe
Resource
win11-20240802-en
Malware Config
Extracted
xworm
expected-schema.gl.at.ply.gg:2980
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
Extracted
umbral
https://discord.com/api/webhooks/1286299751637192826/RNAV05TJwC7uQTEETo8ZiWSJKOrj5gYY87jlWomaK7jJ1jmuh7qm4pMjcc2ZUhDh6jxd
Targets
-
-
Target
RustAnticheat.exe
-
Size
1.1MB
-
MD5
6d63fe8c87e642d9e380a13803aa6858
-
SHA1
5652877b527da6cec16dfa7e9653d3657fedea8b
-
SHA256
066692a03f240a40c237f5ec3270d27cac1fda40630dd29f40db006b79a542a8
-
SHA512
32ad077db3f44cd184f60a715464a0540615fee76cbb4de20c6a2703b1ef2a74391adfad0e77a4c3b2340f9bafbc18238445f19e7fcebf2c11e76e66376d000d
-
SSDEEP
24576:Ucvup1OydVxYPtGU8ynaQpLUcgs5JTqzCZxGcQVyULZ6U6/:U/1OydfMrgsfX04KZ69/
-
Detect Umbral payload
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1