umbral | 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e

General

Target

24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe
Size

152KB
MD5

772e609529a67bd0524c583acf8259dd
SHA1

895f2ecf2945796cf20414d63bfeebd6a89d5039
SHA256

24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e
SHA512

4eccbac440cb2c64d3ec9c284748030e0ab247f2bd48d47e0b5e90caa74a8bf31f867f2505bdceca1f5feffabd0b1a39bd50db323850de33f8315de64fa5b3c1
SSDEEP

3072:uWhBzZGqJ1ueo/S11SF1I+sRES/W0KwHVOy0VjHBaeV+jLcTpyq9J:uuBzVJ1upSe/W/4wArBaeVcLcD9

Score

10^/10

umbral xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:46987

germany-equally.gl.at.ply.gg:46987

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1304758791119573022/NvFMMmX_pxtti9SmarYx57UbyGiz6U-OIecbcV9_MeGQ9b2_1tu63kv3ZlsU6P8xgPYv

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Umbral.exe	family_umbral
behavioral1/memory/2924-20-0x0000000000ED0000-0x0000000000F10000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/2096-19-0x0000000000D00000-0x0000000000D1A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2376 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

XClient.exeUmbral.exe

pid process

2096 XClient.exe
2924 Umbral.exe

pid	process
2376	powershell.exe

pid	process
2096	XClient.exe
2924	Umbral.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XClient.exe"	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2376 powershell.exe

flow	ioc
6	ip-api.com

pid	process
2376	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

powershell.exeXClient.exeUmbral.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2096	XClient.exe
Token: SeDebugPrivilege	2924	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exeUmbral.exe

description	pid	process	target process
PID 2408 wrote to memory of 2376	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	powershell.exe
PID 2408 wrote to memory of 2376	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	powershell.exe
PID 2408 wrote to memory of 2376	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	powershell.exe
PID 2408 wrote to memory of 2096	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	XClient.exe
PID 2408 wrote to memory of 2096	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	XClient.exe
PID 2408 wrote to memory of 2096	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	XClient.exe
PID 2408 wrote to memory of 2924	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	Umbral.exe
PID 2408 wrote to memory of 2924	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	Umbral.exe
PID 2408 wrote to memory of 2924	2408	24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe	Umbral.exe
PID 2924 wrote to memory of 2744	2924	Umbral.exe	wmic.exe
PID 2924 wrote to memory of 2744	2924	Umbral.exe	wmic.exe
PID 2924 wrote to memory of 2744	2924	Umbral.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe
"C:\Users\Admin\AppData\Local\Temp\24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
233KB

MD5
68cc8b6cb62ccafd2164688aa9079c38

SHA1
00a7ff14c1d6aaaa7921377381973248cf22f45a

SHA256
cda8731bc2db15706f12e31ef88936ba9fcb89c8196240d4edf219fa66d9392c

SHA512
8e357507ff583f66f6b8df5803753d1c902071799b65b3a14dedd27e3096f70c2ba990a859e1616704f88cd50c74342403142e8fde20eb674c803fa895d04336

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
76KB

MD5
97924f4b04d2862e64dc337305b35b90

SHA1
5b334f61445cdfb81e4e555f5efbd5e04f69b300

SHA256
1c4f098217b53793dd2d0a3881ce37de2132a6a6bdae54c007a97506296b26de

SHA512
44e66200a4dfb0f504abf033a4a8dd883ef5582c4d569e2f3b1c128bdf826fec854ccc6760a7e45e217c4a5c495c08898f32ac3cf0da623a5938459677157085

Download Submit
memory/2096-19-0x0000000000D00000-0x0000000000D1A000-memory.dmp

Filesize
104KB

Download
memory/2376-6-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2376-7-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2376-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2408-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download
memory/2924-20-0x0000000000ED0000-0x0000000000F10000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads