Overview

overview

10

Static

static

3

RustAnticheat.exe

windows7-x64

RustAnticheat.exe

windows10-1703-x64

RustAnticheat.exe

windows10-2004-x64

RustAnticheat.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RustAnticheat.rar

  • Size

    1.1MB

  • Sample

    240925-jb265awbpc

  • MD5

    fc6d0e5a74f377ac0d58c1b1088d57ce

  • SHA1

    16b81a3e0a59b42d710b42220107f8e066ff9e72

  • SHA256

    8ba594fa7b1cc9bdc5fba532d40d6ed7bf291973e911c4be96cfc288b3554910

  • SHA512

    d72f37e17e23971e66b669235fb03c29c32171e4144987207c91109b8bf7dce844dbf25133fcaf325f2a8d9b2c44b3f99410eee98de736a03c078693d1d75030

  • SSDEEP

    24576:sZrjK1usvLJyBxT4xdjYvYabIEQ+FRKdLB7vU7U7GBWTwq+u1L0SX0I:GrjKdArTkCwaIe07Q7c5Two10/I

Score
10/10
umbralxwormdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

C2

web-amend.gl.at.ply.gg:59501

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1288399761308782603/dBc32ufL91AjkI32Qso8IT_vaA0Frj3MP9_ivfjpfIEs4tXDc5SB89aA7LHc09xTZHZv

Targets

    • Target

      RustAnticheat.exe

    • Size

      1.1MB

    • MD5

      0d0d79a916d356823c4742f3253aa6aa

    • SHA1

      5e267d313557b5dbf6c216e79190b20fb5ab8177

    • SHA256

      20868115f180702553380c551df502535b8aa01c3ef630d408edd849896e631a

    • SHA512

      9bbc72f3b647885dee27a27f5e30e2c845f5eb395bcf545ba7c75d65a0386f9c97dab4348a946fd693a90f4994550fda41a0528072cfeb8106ab603232573365

    • SSDEEP

      24576:drAsHOi4ltSzmSEPGUSa/D3mIaCmo/NE1a1pvRQrhWgJbavyRAh79c0ih:5Lu1tSzmhR/nCo/K0pZQrE2RAh79Lih

    Score
    10/10
    umbralxwormdiscoveryexecutionpersistenceratstealertrojan

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks