umbral | 9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885 | Triage

Submit
Reports

Overview

overview

Static

static

3

loader.exe

windows10-2004-x64

Sharing

General

Target

loader.exe
Size

5.2MB
Sample

241010-mr79vstgjb
MD5

c136329a989aad9543c913f9197a01fe
SHA1

0b3bdab50947cf330243938c9ccb3e685c43457b
SHA256

9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885
SHA512

fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590
SSDEEP

98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj

Score

10^/10

umbral xworm discovery execution rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

loader.exe

Resource

win10v2004-20241007-en

umbral xworm discovery execution rat stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Targets

- Target
  
  loader.exe
- Size
  
  5.2MB
- MD5
  
  c136329a989aad9543c913f9197a01fe
- SHA1
  
  0b3bdab50947cf330243938c9ccb3e685c43457b
- SHA256
  
  9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885
- SHA512
  
  fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590
- SSDEEP
  
  98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj
Score

10^/10

umbral xworm discovery execution rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

umbralxwormdiscoveryexecutionratstealertrojan

© 2018-2024

Terms | Privacy