umbral | d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-02-2025 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeuraX - Spoofer TEMP.exe
Size

368KB
MD5

35c6f16313a956763c7402b49499b1f9
SHA1

8f12a11413044b39cdd626be408aaae50254e4a5
SHA256

d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e
SHA512

fa16a5e069f5c0133674c5d3a515162a43c68cb619cf646b499fbd20b66dbc50a1dcd38003eeaa9335a95d432a8aa5bca1d0d6814011007d46b80e9556331cac
SSDEEP

6144:/3KWL1LMxGp99JRlnzN6gqoZ7zms0oXgd6TKU6EKKXclsBGlDstmvcHcI0us:/PLMxGpPJvzNZZ7iqgoTR2+ED0m0Hc6

Score

10^/10

umbral xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:3913

purpose-perth.gl.at.ply.gg:3913

127.0.0.1:14182

figure-cement.gl.at.ply.gg:14182

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1339055156502986883/hV7TgqQ9AafNGFGpp7dC-W403JrFQJgWGzHFHp2kf7TXQCcWELY6esk8kBXS_EYrIukR

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015da7-15.dat	family_umbral
behavioral1/memory/2524-19-0x0000000000C00000-0x0000000000C40000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001226d-5.dat	family_xworm
behavioral1/files/0x0007000000015d9a-10.dat	family_xworm
behavioral1/memory/3064-17-0x0000000000BF0000-0x0000000000C04000-memory.dmp	family_xworm
behavioral1/memory/2264-16-0x00000000001B0000-0x00000000001C6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Window Manager.lnk	skibidi.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Window Manager.lnk	skibidi.exe

Executes dropped EXE 3 IoCs

pid	Process
3064	skibidi.exe
2264	Loader.exe
2524	NeuraX - CLeaner.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	Loader.exe
Token: SeDebugPrivilege	3064	skibidi.exe
Token: SeDebugPrivilege	2524	NeuraX - CLeaner.exe
Token: SeIncreaseQuotaPrivilege	1208	wmic.exe
Token: SeSecurityPrivilege	1208	wmic.exe
Token: SeTakeOwnershipPrivilege	1208	wmic.exe
Token: SeLoadDriverPrivilege	1208	wmic.exe
Token: SeSystemProfilePrivilege	1208	wmic.exe
Token: SeSystemtimePrivilege	1208	wmic.exe
Token: SeProfSingleProcessPrivilege	1208	wmic.exe
Token: SeIncBasePriorityPrivilege	1208	wmic.exe
Token: SeCreatePagefilePrivilege	1208	wmic.exe
Token: SeBackupPrivilege	1208	wmic.exe
Token: SeRestorePrivilege	1208	wmic.exe
Token: SeShutdownPrivilege	1208	wmic.exe
Token: SeDebugPrivilege	1208	wmic.exe
Token: SeSystemEnvironmentPrivilege	1208	wmic.exe
Token: SeRemoteShutdownPrivilege	1208	wmic.exe
Token: SeUndockPrivilege	1208	wmic.exe
Token: SeManageVolumePrivilege	1208	wmic.exe
Token: 33	1208	wmic.exe
Token: 34	1208	wmic.exe
Token: 35	1208	wmic.exe
Token: SeIncreaseQuotaPrivilege	1208	wmic.exe
Token: SeSecurityPrivilege	1208	wmic.exe
Token: SeTakeOwnershipPrivilege	1208	wmic.exe
Token: SeLoadDriverPrivilege	1208	wmic.exe
Token: SeSystemProfilePrivilege	1208	wmic.exe
Token: SeSystemtimePrivilege	1208	wmic.exe
Token: SeProfSingleProcessPrivilege	1208	wmic.exe
Token: SeIncBasePriorityPrivilege	1208	wmic.exe
Token: SeCreatePagefilePrivilege	1208	wmic.exe
Token: SeBackupPrivilege	1208	wmic.exe
Token: SeRestorePrivilege	1208	wmic.exe
Token: SeShutdownPrivilege	1208	wmic.exe
Token: SeDebugPrivilege	1208	wmic.exe
Token: SeSystemEnvironmentPrivilege	1208	wmic.exe
Token: SeRemoteShutdownPrivilege	1208	wmic.exe
Token: SeUndockPrivilege	1208	wmic.exe
Token: SeManageVolumePrivilege	1208	wmic.exe
Token: 33	1208	wmic.exe
Token: 34	1208	wmic.exe
Token: 35	1208	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3064	2160	NeuraX - Spoofer TEMP.exe	30
PID 2160 wrote to memory of 3064	2160	NeuraX - Spoofer TEMP.exe	30
PID 2160 wrote to memory of 3064	2160	NeuraX - Spoofer TEMP.exe	30
PID 2160 wrote to memory of 2264	2160	NeuraX - Spoofer TEMP.exe	31
PID 2160 wrote to memory of 2264	2160	NeuraX - Spoofer TEMP.exe	31
PID 2160 wrote to memory of 2264	2160	NeuraX - Spoofer TEMP.exe	31
PID 2160 wrote to memory of 2524	2160	NeuraX - Spoofer TEMP.exe	32
PID 2160 wrote to memory of 2524	2160	NeuraX - Spoofer TEMP.exe	32
PID 2160 wrote to memory of 2524	2160	NeuraX - Spoofer TEMP.exe	32
PID 2524 wrote to memory of 1208	2524	NeuraX - CLeaner.exe	35
PID 2524 wrote to memory of 1208	2524	NeuraX - CLeaner.exe	35
PID 2524 wrote to memory of 1208	2524	NeuraX - CLeaner.exe	35

C:\Users\Admin\AppData\Local\Temp\NeuraX - Spoofer TEMP.exe
"C:\Users\Admin\AppData\Local\Temp\NeuraX - Spoofer TEMP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Roaming\skibidi.exe
  "C:\Users\Admin\AppData\Roaming\skibidi.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Users\Admin\AppData\Roaming\Loader.exe
  "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe
  "C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
60KB

MD5
8d81cb248bc3cabb8f870d305c9da628

SHA1
2faf8b5e88d237198cf3a0d83dce6eeb72df5905

SHA256
864adf43fb7566bc89eddae126babe13e9556d9da44ef4ef6e81484559289ac9

SHA512
c93a22d82719c6da6123fc81caa1b714e828ec14c85931da3890fe548094103f80793c5c1de67af0b93f2d078ee410a10a5b3896ba512b385759ab9dae26a28d

Download Submit
C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe

Filesize
231KB

MD5
c4f0439175ac80f05ffec5da48d45ed4

SHA1
45350dbb06357d1230dba9184f1899d9d737866c

SHA256
a5c3af3b30e50f1202cafd220074543bc956de20186abe3f750163223da4528a

SHA512
ebb6c0c650e051761dad6d969f2da3e433998d5d01d28823fed5652aeb85aaacfbcc6b849d7d4bc01967d9552b9f862b50ced554ab932c12b5b7a683fdc0bfbd

Download Submit
C:\Users\Admin\AppData\Roaming\skibidi.exe

Filesize
57KB

MD5
94d345c8c8058719dfcc325caf73ce94

SHA1
c8ed543bdd54e52f3b6624f5820dd5d2e05e1367

SHA256
e0882f68128a2b2e2aa7b8473d31e47691f8bce2c76dd293dae24bbf8c8a1918

SHA512
deb8b44169b1217f0598ae32b9bc101e04074226630da81239581d51682cd19172e0a9d56fb4a27434fd343b32bcf8fe926a299bad686e2ebdbde2646b88d1dd

Download Submit
memory/2160-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000000EC0000-0x0000000000F22000-memory.dmp

Filesize
392KB

Download
memory/2264-16-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2524-19-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/3064-17-0x0000000000BF0000-0x0000000000C04000-memory.dmp

Filesize
80KB

Download
memory/3064-20-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-24-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads