Overview

overview

10

Static

static

3

krx/.RUN T...RX.bat

windows7-x64

10

krx/.RUN T...RX.bat

windows10-2004-x64

10

krx/.crack.ps1

windows7-x64

3

krx/.crack.ps1

windows10-2004-x64

7

krx/RUN TH...at.lnk

windows7-x64

3

krx/RUN TH...at.lnk

windows10-2004-x64

10

krx/krx/DD...er.exe

windows7-x64

1

krx/krx/DD...er.exe

windows10-2004-x64

1

krx/krx/KR...nt.exe

windows7-x64

10

krx/krx/KR...nt.exe

windows10-2004-x64

10

krx/krx/SDL2.dll

windows7-x64

1

krx/krx/SDL2.dll

windows10-2004-x64

3

krx/krx/av...61.dll

windows7-x64

1

krx/krx/av...61.dll

windows10-2004-x64

1

krx/krx/av...61.dll

windows7-x64

1

krx/krx/av...61.dll

windows10-2004-x64

3

krx/krx/avutil-59.dll

windows7-x64

1

krx/krx/avutil-59.dll

windows10-2004-x64

1

krx/krx/co...ry.bat

windows7-x64

1

krx/krx/co...ry.bat

windows10-2004-x64

1

krx/krx/co...ve.exe

windows7-x64

1

krx/krx/co...ve.exe

windows10-2004-x64

1

krx/krx/co...re.exe

windows7-x64

1

krx/krx/co...re.exe

windows10-2004-x64

1

krx/krx/da...al.exe

windows7-x64

1

krx/krx/da...al.exe

windows10-2004-x64

1

krx/krx/dbgcore.dll

windows10-2004-x64

1

krx/krx/dbghelp.dll

windows10-2004-x64

8

krx/krx/de...at.exe

windows7-x64

1

krx/krx/de...at.exe

windows10-2004-x64

8

krx/krx/dilate.exe

windows7-x64

1

krx/krx/dilate.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Malware .rar

  • Size

    68.3MB

  • Sample

    250207-xarkwssmcs

  • MD5

    e62879be2afac8419e0cde9d4209f3a6

  • SHA1

    696a22ada4a84bc172726c61dd3d7947d844e38c

  • SHA256

    4cc1f9f24687b31979df108d1cb40b332b2b867aa004314b3844fc9388051d10

  • SHA512

    8ef78750ae7e9608b0d373ca3138b71d6f243b70ce254a50dda8f8230623ce9a0e4aca4e473570decc9f85c5acc2b593966d0175c3bee77bec2aedea3a2b5fcc

  • SSDEEP

    1572864:tFxAPFvpjPQBKppp3G/39P/N8yfMB1YYINRfBMppKs9JvHNVSuq+Y:lANxjEKppp3GfFi+MgzRfBMpPJpY

Score
10/10
umbraldiscoveryexecutionstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1337020963363225641/h0Ve6Z9WtTbW9d3frLkSaZTzjtjFum8OAq1NnRnHG-Vd0mImdRoT37Xs5_5jhVWlKEdf

Targets

    • Target

      krx/.RUN THIS SCRIPT TO START KRX.bat

    • Size

      348B

    • MD5

      208fd017fc655c28b29d21fd3f2f7807

    • SHA1

      9909f1316a2db084c659660a8e4a9eb024523de0

    • SHA256

      0d85ab947bc0b645e5bf7236b6b5731e400d25b5b3e011342263f9f2e23c4074

    • SHA512

      51ce02366c1eaa0a37c9526c4fba52ccd7e6d35624f30708a4c12ed81891021ed83649009e5b0b26928b54fb2890339cd30417317354cf684c6dd8a7d0292f43

    Score
    10/10
    umbraldiscoveryexecutionstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      krx/.crack.ps1

    • Size

      221B

    • MD5

      e4b46737db95b748ce1368a04fcac3f5

    • SHA1

      a6166a939b8b7d73e77e5a9fef7bd467d6b24085

    • SHA256

      f3a1c2269666452591c97a85115d88129ebc61312013ef422f5137d1bd1b0d3d

    • SHA512

      38c0daa7efe25047fbb0945ac95cb2ea434ca9bb6d791e466d73de85f645a67e72a8c2274b997b7bcda3053e774ae78d51b8b1fc00be8a1278b26d9835c056ee

    Score
    7/10
    execution

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    behavioral3behavioral4

    • Target

      krx/RUN THIS SCRIPT TO START KRX.bat.lnk

    • Size

      1KB

    • MD5

      4c86e93d580bdd34d6a789b0f46afab7

    • SHA1

      d6598b1ea15eefba1316a52a8ba721c77152f20c

    • SHA256

      cd531534cc3454ff81864230d94c8aa26952be3fe6e34dab128c23f71c3e5d56

    • SHA512

      fdfba0de21c8e65b59ebe2e0b96c97adb02da9766b8a30fb9bb1ce1a5ee46335e03f7b4c13a590351670638042b5a8d5065fe9c21fe2ce3108a39d53432d353a

    Score
    10/10
    umbraldiscoveryexecutionstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    behavioral5behavioral6

    • Target

      krx/krx/DDNet-Server.exe

    • Size

      3.1MB

    • MD5

      04fd40dd04829b5916568e42431e05eb

    • SHA1

      e323ac74341b73dfca141b7aaa1364c3f6831f7e

    • SHA256

      ae7fdb63bf91a66912dbfb7b1cf292858c111a02d578c4ba89c10943eea42481

    • SHA512

      3b89b301ae3a5d0aaffc3b8c0a1c3487e09de664ab31d4f20e7df92241ab2ce4be96d60ab10edaff2162ee3c42bbccbbe28867bdfe925b93a210a4b57f8c5ed0

    • SSDEEP

      49152:VkYz/vWf6cka4NPYwQ21mQJs8kXYjlY7Js8Qh6YtBegTcCspeEY8NQD0dhk6eoMN:Vkg1zVdjlVTECspeEY8QoMuAr

    Score
    1/10
    behavioral7behavioral8

    • Target

      krx/krx/KRX Client.exe

    • Size

      13.5MB

    • MD5

      14aa5b66b4eb09f2ec43ab2785353b30

    • SHA1

      13e604b67db06e15a4f6c320fadb653f35d8bd1a

    • SHA256

      83d30f0c1b0fb62ba26d7a2a8ddd0f1d0a355d4011d57c9316fc1fe6fc3e144b

    • SHA512

      ae7b132ae3d91e1f7967fffc52c7b30760d4bf29f7c3c25522c27002399c2de865729e99ce7141baa6355ce6e22141721e733bc1ebdacc840f2d3ad112ead39a

    • SSDEEP

      196608:1aqDXlWLO5Ui4d+fNcCnpVubF7d2vziaM7G9PEozWpLMFhKxY+MyAD0vOLQpMJKu:1a0eO9kh7EzzKOPEoypIFDWY3tKgO4

    Score
    10/10
    umbraldiscoverystealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      krx/krx/SDL2.dll

    • Size

      2.2MB

    • MD5

      9f2509c44faa79c87382855d4a94966b

    • SHA1

      4474c7d2923dd0a535c01612c6bd2c0e1f1faef3

    • SHA256

      d0ac4e209a78ad56d53af2df40a51ae9e4043704efbed5b46bf75a57ec92ab1b

    • SHA512

      fb5f407af1020109acdf693f5391cdf7905a99d0d09628bf066f459caa36cd2e296adb623a60950191e4e3395501c332b672ecc219bdc02415013dba42d6ccb3

    • SSDEEP

      49152:5L6mcGjDqleTVMEGol1sEQf21L1gz6vr//uw0508uLMDpYwvuIBxV:F6QHpQO1L1jvrXuw0S8DpD2IBxV

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      krx/krx/avcodec-61.dll

    • Size

      2.7MB

    • MD5

      ae6632db7de61ef9a0e1045b829502dc

    • SHA1

      e4c9eae709c3b3f415f9183e2e45292c14b9d5e2

    • SHA256

      58c71baa592da746c9c5e30fdd41814a2736454b2b7168da4ab88585758d4786

    • SHA512

      37d112a490105d11283fab5a2febb618305919932bc18b55b79bc0d3ef862791d3f6f8cc6dfc57b00ce1fb7dc576c724dafbff84144212b247e51e265904c28f

    • SSDEEP

      49152:sG89fcQ/HjCDvYceJirwiucX2bpbsyt7U9gkUObKPHv5bW:he0Q/jYv8/NR1TdW

    Score
    1/10
    behavioral13behavioral14

    • Target

      krx/krx/avformat-61.dll

    • Size

      502KB

    • MD5

      179f9ae9eb9e05411966a0d943e75360

    • SHA1

      a543163fbea7ba8061da700133cc97e9ebcda589

    • SHA256

      b72292ed8140957752e45880b597b6e1a673fb66e740379d29614dee1454d3a2

    • SHA512

      ca77ce3fb5e345ea6304c9d405de577b164224df01ca25ce1ae560ab82463dfa6b0dacd6880d8d8821b15d3892f8d12bbee76832dee1cfef083b74f127949fc0

    • SSDEEP

      12288:vHoTMfa6+pLH1SicSrISTE6bj3tZEdEyd:vHp0HnHASfyd

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      krx/krx/avutil-59.dll

    • Size

      1000KB

    • MD5

      9f4e1d61cf779052fed243c2142495b2

    • SHA1

      246b28f23c542ba6f38767ad420fc4b6f716c8af

    • SHA256

      cd256113d455d362d769a859d2214b9f672be8d2692eebd7539675d31620ca6b

    • SHA512

      f3059d52d93731fee5fc03af389ea08f85f449caadc79a0021fe3da2234648ad3bbf012d96eddd2de161bab062bb8be3a9bc98114cb941bb46c1e0117c241593

    • SSDEEP

      12288:4wCIUQiy/TXud3kOo09O11s5mbxZnBR2XoR6nP3J:4uioXud3kOn9x8fqYRoJ

    Score
    1/10
    behavioral17behavioral18

    • Target

      krx/krx/config_directory.bat

    • Size

      222B

    • MD5

      6191ec1743f8b924e43ebc2ab61ed4fc

    • SHA1

      ae0e5de76c78618c4b8b1e22976bf50d366f3504

    • SHA256

      1fbad52532e2685345cc3e5366e88d965f107e6c6013002e0bd6ad5da0377ad7

    • SHA512

      4ff02eb42dddbb1d3845762a42c58abaa26344d64a308dea9210a180a50d1ea36df5d2852db0d1af06d8b35f2d84910281ba1ec712905acc9ef8b359900b8327

    Score
    1/10
    behavioral19behavioral20

    • Target

      krx/krx/config_retrieve.exe

    • Size

      1.6MB

    • MD5

      f7555d80ff6e60a59365f01414501479

    • SHA1

      1d6178f5c1b2896bc4edfae4c047bf861ca6f948

    • SHA256

      278aa12afd5178f7fe61b41c0f639bb38449d7d76e20e87948a56c8bfb16273b

    • SHA512

      c8b1a1ca3198e2be632dfbec70408d8c4c2d6a49f33f6d84dae0da599a058a95d881fefec8f0e23d5b1b56c5e4ce5f9fcf7fb387d2fd38e0f746190ed22f9aff

    • SSDEEP

      24576:9ZD+Rvm86X41C7YrxtyeLLb5TfHdyjMChDl8XMa436oMdZ:7+R+8i41CWxtyeXb5TfHdyjMCxSEqoMD

    Score
    1/10
    behavioral21behavioral22

    • Target

      krx/krx/config_store.exe

    • Size

      1.6MB

    • MD5

      44b8f89981fe8cee058b46e645bb07f9

    • SHA1

      b22520a2bca53316d854a57aa3c43bb1199c6f60

    • SHA256

      3e3e64438ccc8f4dbd185ae727946f8aafeef7261414c8f529599cd17e83f4e1

    • SHA512

      ac4b7820966cdd004febdb5683ab4768e9ed4d1d9dfb33297b868a62da3e93061821817d600f45b7c74c3c81a083f08c9995372580e75e9f364e85c7f6e216a0

    • SSDEEP

      49152:kTgQmuyH46XJ0IR4qbVutKSEFbwWczBvdgoMk:kKXPR4qbVutKkyoMk

    Score
    1/10
    behavioral23behavioral24

    • Target

      krx/krx/data/krx/DDNet_original.exe

    • Size

      5.6MB

    • MD5

      5de71aaecb893305bf6078dc8fbee0c3

    • SHA1

      b9ca5c36a2ada71b4a92e8317e00c951b6f3fef7

    • SHA256

      ecc13b76f7d179f1889a9b6982399018cf55de637d1c133a0cbc87e1a1d6e2b6

    • SHA512

      64474102363dc78b343811bb1074d771c6c5ee6f2a8710ebddfea291f88751a18f71fea3b886768a10f1b5fffbe4c273f689e9c148514478d1f3be809fc3c5ad

    • SSDEEP

      98304:ZsQhBQtkRNY4ibOJyLX1jY2enhjzg9idRKf6oMUq+kTuuXZ:ZOiNd0QKf6XUq+kTV

    Score
    1/10
    behavioral25behavioral26

    • Target

      krx/krx/dbgcore.dll

    • Size

      162KB

    • MD5

      8bb7fa4422c9ddc162051d8b7e5522d7

    • SHA1

      07a01c2ccffd3d27f2a0d0ddf38dde1dd10455ec

    • SHA256

      db947c07167069d3de9e8a637baf01298984355d775ec49801115d7e5f2e47a3

    • SHA512

      7bfbbae884fe9f2235dd24ab9b0f5d35bc6af28bb6e562c000e36962be47de53bf9adc44e8b2d75b1c911a51d1e354ff94e216e66089269e6c7dee8085b98a60

    • SSDEEP

      3072:XBvYv24Qwk0uHtYN2ZrO3p5oKKASB0ddOQYgOxTsvmbtIahY2rAW:XBg2VWuo3554ASB0ddOgahMW

    Score
    1/10
    behavioral27

    • Target

      krx/krx/dbghelp.dll

    • Size

      1.8MB

    • MD5

      3fbb5bbc320109a3adf8866289a81211

    • SHA1

      543b936a89fbdb0220381eeff0824b3968390e82

    • SHA256

      3d92df0984662298a09d988aff0bb7c3081a46bf48177b7af02d3552641f77e9

    • SHA512

      e4fe89ffa2b723a8162a7eae05f42639a6cf86bca77495d2834fa0f58131ab8fac8336901f8bdce19c5b5b49aa6c5c4b0056febccf42b8fe395401696d0694cc

    • SSDEEP

      24576:VOTeT88eTQhAWiJhXsg/537W7rDLIVn0a1pCVBz2P583pdj8DqF2gIMYT5q4NZrn:gCTwOkh37W7zI1JDUA583pEqF2gIr5vb

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral28

    • Target

      krx/krx/demo_extract_chat.exe

    • Size

      1.6MB

    • MD5

      6372280ed72fc59a101ae8d16c1a010c

    • SHA1

      52355b8ea5c80ff745845b5100f79bb62c79bb6f

    • SHA256

      f950a26258ac4c5dd1f4de4a638e14bb93a257bc0fca03acab7a660b18d2b1b2

    • SHA512

      5a98eec76592f920e279a6759d6ddf717f56f12a5b2fd59c0cc534bba80bf8ad1899a858d9c569f47041f29a31cb0a1d79a3a1c1b5ace5e30eccb647f91c6d6d

    • SSDEEP

      49152:DmDcar3HdzKK02jTR05/ZStLq7wiIR19EoMA:DOL0OR05/ZStLBcoMA

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral29behavioral30

    • Target

      krx/krx/dilate.exe

    • Size

      1.6MB

    • MD5

      ac47fe30562e84f7d72246aef592ade9

    • SHA1

      d4405f9c1a51f4897b0fbe184de3973286379f58

    • SHA256

      100475e5df17f36e30562dcc990122d4304dc8c0929c7ce50078ab6742c701b3

    • SHA512

      35f63ebb082a8d5d5b7876a7b23fd152e180184895b0ae8c47b1b39e59f6566cb2be4a1dff9f5722947686ba57df369a2c28be3c1ce63135e89c52fe4def32a6

    • SSDEEP

      49152:HTyAWMYA+QbuIM6t0oc/Mbda0Gq6DGwToMWCd1Y:HW38u2t0oc/MbM7oMWJ

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

umbraldiscoveryexecutionstealer
Score
10/10

behavioral2

umbraldiscoveryexecutionstealer
Score
10/10

behavioral3

execution
Score
3/10

behavioral4

execution
Score
7/10

behavioral5

Score
3/10

behavioral6

umbraldiscoveryexecutionstealer
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

umbraldiscoverystealer
Score
10/10

behavioral10

umbraldiscoverystealer
Score
10/10

behavioral11

Score
1/10

behavioral12

discovery
Score
3/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

discovery
Score
8/10

behavioral29

Score
1/10

behavioral30

discovery
Score
8/10

behavioral31

Score
1/10

behavioral32

discovery
Score
8/10