General

  • Target

    073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

  • Size

    800KB

  • Sample

    241117-b6eejsybrc

  • MD5

    7198fa10a50ea9aaf6ae5c2a05af2104

  • SHA1

    c35a2a73313e3c5ad08136e3bc583bb9bc26964c

  • SHA256

    073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

  • SHA512

    56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf

  • SSDEEP

    12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o

Extracted

Family

xworm

C2

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Windows Security Host.exe

Targets

    • Target

      073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

    • Size

      800KB

    • MD5

      7198fa10a50ea9aaf6ae5c2a05af2104

    • SHA1

      c35a2a73313e3c5ad08136e3bc583bb9bc26964c

    • SHA256

      073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

    • SHA512

      56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf

    • SSDEEP

      12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks