umbral | 544a9c11e53d104ee4987900bebeb849490735d2d3a076dd468bcdedd83b6fde

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustAnticheat.exe
Size

1.1MB
MD5

51d835de66bac2f502ae697a35baec90
SHA1

46ed68b3af1160c892090db77dbfd8916128afee
SHA256

544a9c11e53d104ee4987900bebeb849490735d2d3a076dd468bcdedd83b6fde
SHA512

1be17435d526b464aee3e453295feb831030a4ec9d87c1a4d47eee9b32a3728675fc29ff35143991209e75c5804d02612da31c51dbbad8a6054f03ad01660746
SSDEEP

24576:kEKrzjpnzLOtAi9SrsvNOOZT8XYYLvqKaZ2IJhaOtlj:dKr3hL4+yRT3KaIIj

Score

10^/10

umbral xworm discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

web-amend.gl.at.ply.gg:59501

Attributes

Install_directory
%AppData%
install_file
RuntimeBroker.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1286696205040226395/PlyXt42kMHxkNNkTVcuKXMSs07VdzNAX4G3WkobLmgEeCwny8D96kvYTWDW1AjLuLxBu

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000016031-16.dat	family_umbral
behavioral2/memory/2408-19-0x0000000000840000-0x0000000000880000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000015f41-14.dat	family_xworm
behavioral2/memory/2160-17-0x0000000000AD0000-0x0000000000AE8000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
2968	Loader (1).exe
2160	RustAnticheat1.exe
2408	Umbral1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	RustAnticheat1.exe
Token: SeDebugPrivilege	2408	Umbral1.exe
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe
Token: SeSystemProfilePrivilege	2556	wmic.exe
Token: SeSystemtimePrivilege	2556	wmic.exe
Token: SeProfSingleProcessPrivilege	2556	wmic.exe
Token: SeIncBasePriorityPrivilege	2556	wmic.exe
Token: SeCreatePagefilePrivilege	2556	wmic.exe
Token: SeBackupPrivilege	2556	wmic.exe
Token: SeRestorePrivilege	2556	wmic.exe
Token: SeShutdownPrivilege	2556	wmic.exe
Token: SeDebugPrivilege	2556	wmic.exe
Token: SeSystemEnvironmentPrivilege	2556	wmic.exe
Token: SeRemoteShutdownPrivilege	2556	wmic.exe
Token: SeUndockPrivilege	2556	wmic.exe
Token: SeManageVolumePrivilege	2556	wmic.exe
Token: 33	2556	wmic.exe
Token: 34	2556	wmic.exe
Token: 35	2556	wmic.exe
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe
Token: SeSystemProfilePrivilege	2556	wmic.exe
Token: SeSystemtimePrivilege	2556	wmic.exe
Token: SeProfSingleProcessPrivilege	2556	wmic.exe
Token: SeIncBasePriorityPrivilege	2556	wmic.exe
Token: SeCreatePagefilePrivilege	2556	wmic.exe
Token: SeBackupPrivilege	2556	wmic.exe
Token: SeRestorePrivilege	2556	wmic.exe
Token: SeShutdownPrivilege	2556	wmic.exe
Token: SeDebugPrivilege	2556	wmic.exe
Token: SeSystemEnvironmentPrivilege	2556	wmic.exe
Token: SeRemoteShutdownPrivilege	2556	wmic.exe
Token: SeUndockPrivilege	2556	wmic.exe
Token: SeManageVolumePrivilege	2556	wmic.exe
Token: 33	2556	wmic.exe
Token: 34	2556	wmic.exe
Token: 35	2556	wmic.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2968	2372	RustAnticheat.exe	31
PID 2372 wrote to memory of 2968	2372	RustAnticheat.exe	31
PID 2372 wrote to memory of 2968	2372	RustAnticheat.exe	31
PID 2372 wrote to memory of 2968	2372	RustAnticheat.exe	31
PID 2372 wrote to memory of 2160	2372	RustAnticheat.exe	32
PID 2372 wrote to memory of 2160	2372	RustAnticheat.exe	32
PID 2372 wrote to memory of 2160	2372	RustAnticheat.exe	32
PID 2372 wrote to memory of 2408	2372	RustAnticheat.exe	33
PID 2372 wrote to memory of 2408	2372	RustAnticheat.exe	33
PID 2372 wrote to memory of 2408	2372	RustAnticheat.exe	33
PID 2408 wrote to memory of 2556	2408	Umbral1.exe	34
PID 2408 wrote to memory of 2556	2408	Umbral1.exe	34
PID 2408 wrote to memory of 2556	2408	Umbral1.exe	34

C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Loader (1).exe
  "C:\Users\Admin\AppData\Local\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\RustAnticheat1.exe
  "C:\Users\Admin\AppData\Local\RustAnticheat1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Users\Admin\AppData\Local\Umbral1.exe
  "C:\Users\Admin\AppData\Local\Umbral1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\AppData\Local\RustAnticheat1.exe

Filesize
67KB

MD5
e2380436ed8f81ca925783cfd4ec2be2

SHA1
da7f9a44014fd130cf7bdb9e19d9605246e8cfca

SHA256
4c1be445457b188ef0aad364ee879505e4b925ddba5405801b0e27af659c806a

SHA512
44a57c5e5811d1d840f2cecc1fb5836ad43c7be80061d0b6e800431bf323fd87eef296ee364d87a2fd88502334b657c12bc001c1f2777ad71fca95bce84b6305

Download Submit
C:\Users\Admin\AppData\Local\Umbral1.exe

Filesize
231KB

MD5
844f85b3c38478161c8918e2d23a4835

SHA1
d2da62e3f0c50ddb3cc510af88368143790d59b9

SHA256
8f3ba7ae0aea1ad543fd98a1cb574bada9d363d476e12ae7a332ea83967883b5

SHA512
96d4ccdd853a7f878d0409f4f39f4f8fdd6bdf7d086ccd665e8f9141cf9ebc2916d079838e599c67c86cddfd02262c14cee434622821a8550c0dbd87535c95c7

Download Submit
memory/2160-21-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2160-17-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

Filesize
96KB

Download
memory/2160-25-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2372-1-0x0000000001040000-0x0000000001162000-memory.dmp

Filesize
1.1MB

Download
memory/2372-0-0x000007FEF61E3000-0x000007FEF61E4000-memory.dmp

Filesize
4KB

Download
memory/2408-19-0x0000000000840000-0x0000000000880000-memory.dmp

Filesize
256KB

Download
memory/2968-22-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2968-23-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2968-20-0x0000000001370000-0x0000000001446000-memory.dmp

Filesize
856KB

Download
memory/2968-26-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads