umbral

General

Target

RustAnticheat.exe
Size

1.1MB
Sample

240925-hncass1dnj
MD5

51d835de66bac2f502ae697a35baec90
SHA1

46ed68b3af1160c892090db77dbfd8916128afee
SHA256

544a9c11e53d104ee4987900bebeb849490735d2d3a076dd468bcdedd83b6fde
SHA512

1be17435d526b464aee3e453295feb831030a4ec9d87c1a4d47eee9b32a3728675fc29ff35143991209e75c5804d02612da31c51dbbad8a6054f03ad01660746
SSDEEP

24576:kEKrzjpnzLOtAi9SrsvNOOZT8XYYLvqKaZ2IJhaOtlj:dKr3hL4+yRT3KaIIj

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1286696205040226395/PlyXt42kMHxkNNkTVcuKXMSs07VdzNAX4G3WkobLmgEeCwny8D96kvYTWDW1AjLuLxBu

Extracted

Family

xworm

C2

web-amend.gl.at.ply.gg:59501

Attributes

Install_directory
%AppData%
install_file
RuntimeBroker.exe

Targets

- Target
  
  RustAnticheat.exe
- Size
  
  1.1MB
- MD5
  
  51d835de66bac2f502ae697a35baec90
- SHA1
  
  46ed68b3af1160c892090db77dbfd8916128afee
- SHA256
  
  544a9c11e53d104ee4987900bebeb849490735d2d3a076dd468bcdedd83b6fde
- SHA512
  
  1be17435d526b464aee3e453295feb831030a4ec9d87c1a4d47eee9b32a3728675fc29ff35143991209e75c5804d02612da31c51dbbad8a6054f03ad01660746
- SSDEEP
  
  24576:kEKrzjpnzLOtAi9SrsvNOOZT8XYYLvqKaZ2IJhaOtlj:dKr3hL4+yRT3KaIIj
Score

10^/10

umbral xworm discovery rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Umbral payload

Detect Xworm Payload

Xworm

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5