umbral | 2fa899e1197c8a1ce033230b147ae1d406172e439a712f55f51104156ce55fcd | Triage

Submit
Reports

Overview

overview

Static

static

3

Command.exe

windows10-2004-x64

Sharing

General

Target

Command.exe
Size

8.9MB
Sample

241004-rq482ayfnm
MD5

7b2f691115519bac6d213c8a69e35e1e
SHA1

137fd5d39ee8ff2c0b57af3ab82a868cc8daf2f6
SHA256

2fa899e1197c8a1ce033230b147ae1d406172e439a712f55f51104156ce55fcd
SHA512

73e439123a4ef857858e03f436270651142fb8c143fb50570808418fde14bc737b36c906e9d7e07db76d089cfc4f76698e093f720fef3b33f1a286231713afb5
SSDEEP

196608:uGrAom6nkx0piDMuw+knVthdXlqVfPtoiqjuM:lIyMDXi3hdQVPtonyM

Score

10^/10

umbral xworm discovery execution pyinstaller rat stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Command.exe

Resource

win10v2004-20240802-en

umbral xworm discovery execution pyinstaller rat stealer trojan upx

windows10-2004-x64

15 signatures

30 seconds

Malware Config

Extracted

Family

xworm

C2

22.ip.gl.ply.gg:55064

Attributes

Install_directory
%AppData%
install_file
Windows Command.exe

Targets

- Target
  
  Command.exe
- Size
  
  8.9MB
- MD5
  
  7b2f691115519bac6d213c8a69e35e1e
- SHA1
  
  137fd5d39ee8ff2c0b57af3ab82a868cc8daf2f6
- SHA256
  
  2fa899e1197c8a1ce033230b147ae1d406172e439a712f55f51104156ce55fcd
- SHA512
  
  73e439123a4ef857858e03f436270651142fb8c143fb50570808418fde14bc737b36c906e9d7e07db76d089cfc4f76698e093f720fef3b33f1a286231713afb5
- SSDEEP
  
  196608:uGrAom6nkx0piDMuw+knVthdXlqVfPtoiqjuM:lIyMDXi3hdQVPtonyM
Score

10^/10

umbral xworm discovery execution pyinstaller rat stealer trojan upx
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralxwormdiscoveryexecutionpyinstallerratstealertrojanupx

© 2018-2024

Terms | Privacy