umbral

General

Target

midnight (1234).zip
Size

138KB
Sample

250106-hpmg6a1rgj
MD5

d6887c50a19ddf4160195a84017cbec7
SHA1

0e443176b3091a05da329c05c509fc1a412087d0
SHA256

f97488ee0b0f23efa8ce589d1e3456e575fb3b1ac938349b82c7d3aaa63e8e50
SHA512

956d56bb4469caaa1658233d59d327fb09a8a09dafe2af36537b2128deb4536a9c40d5b364f96bf006fca9832bf10491cfff22ad32ae7cba7dd0f2f37b0431eb
SSDEEP

3072:VLxP/oE8EIXTcylXkojCS9x9eEXy9o3Kpr8CxLv7L:FxP/oJDJlUcCS9x9evG3KpvZ/

Score

10^/10

Malware Config

Targets

- Target
  
  midnight.exe
- Size
  
  308KB
- MD5
  
  5ac307177606b2ae5c404f290e7a8283
- SHA1
  
  e4fd10a9e94c6ffc2394f8b5454fffaffaf7fce7
- SHA256
  
  ddd392e5d84b3e12121dd6b0c86a448669a92922b924344f964da8d3ebec3ab9
- SHA512
  
  a285c1331e62569abe1d4dc055464ce05691245bae407a59d4d488eb23bd2820d00ef26e3ea7d4bbb2eee5335f21402e3b43791c7a56d747f5b726b925fced8c
- SSDEEP
  
  6144:0AWNdBMyKbsCauloZM+rIkd8g+EtXHkv/iD4AEGobhS6F6AxDeebw3b8e1m+iU:OCa4oZtL+EP8AEGobhS6F6AxDeebWAU
Score

10^/10

umbral xworm discovery execution rat spyware stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1