umbral | d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e

Analysis

max time kernel
18s
max time network
35s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2025 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeuraX - Spoofer TEMP.exe
Size

368KB
MD5

35c6f16313a956763c7402b49499b1f9
SHA1

8f12a11413044b39cdd626be408aaae50254e4a5
SHA256

d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e
SHA512

fa16a5e069f5c0133674c5d3a515162a43c68cb619cf646b499fbd20b66dbc50a1dcd38003eeaa9335a95d432a8aa5bca1d0d6814011007d46b80e9556331cac
SSDEEP

6144:/3KWL1LMxGp99JRlnzN6gqoZ7zms0oXgd6TKU6EKKXclsBGlDstmvcHcI0us:/PLMxGpPJvzNZZ7iqgoTR2+ED0m0Hc6

Score

10^/10

umbral xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:14182

figure-cement.gl.at.ply.gg:14182

127.0.0.1:3913

purpose-perth.gl.at.ply.gg:3913

Attributes

Install_directory
%AppData%
install_file
Loader.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002af55-27.dat	family_umbral
behavioral1/memory/980-37-0x0000016130610000-0x0000016130650000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000025e41-6.dat	family_xworm
behavioral1/files/0x001d00000002aee7-17.dat	family_xworm
behavioral1/memory/3564-33-0x0000000000270000-0x0000000000286000-memory.dmp	family_xworm
behavioral1/memory/1060-38-0x0000000000050000-0x0000000000064000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Window Manager.lnk	skibidi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Window Manager.lnk	skibidi.exe

Executes dropped EXE 3 IoCs

pid	Process
1060	skibidi.exe
3564	Loader.exe
980	NeuraX - CLeaner.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	Loader.exe
Token: SeDebugPrivilege	1060	skibidi.exe
Token: SeDebugPrivilege	980	NeuraX - CLeaner.exe
Token: SeIncreaseQuotaPrivilege	4296	wmic.exe
Token: SeSecurityPrivilege	4296	wmic.exe
Token: SeTakeOwnershipPrivilege	4296	wmic.exe
Token: SeLoadDriverPrivilege	4296	wmic.exe
Token: SeSystemProfilePrivilege	4296	wmic.exe
Token: SeSystemtimePrivilege	4296	wmic.exe
Token: SeProfSingleProcessPrivilege	4296	wmic.exe
Token: SeIncBasePriorityPrivilege	4296	wmic.exe
Token: SeCreatePagefilePrivilege	4296	wmic.exe
Token: SeBackupPrivilege	4296	wmic.exe
Token: SeRestorePrivilege	4296	wmic.exe
Token: SeShutdownPrivilege	4296	wmic.exe
Token: SeDebugPrivilege	4296	wmic.exe
Token: SeSystemEnvironmentPrivilege	4296	wmic.exe
Token: SeRemoteShutdownPrivilege	4296	wmic.exe
Token: SeUndockPrivilege	4296	wmic.exe
Token: SeManageVolumePrivilege	4296	wmic.exe
Token: 33	4296	wmic.exe
Token: 34	4296	wmic.exe
Token: 35	4296	wmic.exe
Token: 36	4296	wmic.exe
Token: SeIncreaseQuotaPrivilege	4296	wmic.exe
Token: SeSecurityPrivilege	4296	wmic.exe
Token: SeTakeOwnershipPrivilege	4296	wmic.exe
Token: SeLoadDriverPrivilege	4296	wmic.exe
Token: SeSystemProfilePrivilege	4296	wmic.exe
Token: SeSystemtimePrivilege	4296	wmic.exe
Token: SeProfSingleProcessPrivilege	4296	wmic.exe
Token: SeIncBasePriorityPrivilege	4296	wmic.exe
Token: SeCreatePagefilePrivilege	4296	wmic.exe
Token: SeBackupPrivilege	4296	wmic.exe
Token: SeRestorePrivilege	4296	wmic.exe
Token: SeShutdownPrivilege	4296	wmic.exe
Token: SeDebugPrivilege	4296	wmic.exe
Token: SeSystemEnvironmentPrivilege	4296	wmic.exe
Token: SeRemoteShutdownPrivilege	4296	wmic.exe
Token: SeUndockPrivilege	4296	wmic.exe
Token: SeManageVolumePrivilege	4296	wmic.exe
Token: 33	4296	wmic.exe
Token: 34	4296	wmic.exe
Token: 35	4296	wmic.exe
Token: 36	4296	wmic.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1060	676	NeuraX - Spoofer TEMP.exe	77
PID 676 wrote to memory of 1060	676	NeuraX - Spoofer TEMP.exe	77
PID 676 wrote to memory of 3564	676	NeuraX - Spoofer TEMP.exe	78
PID 676 wrote to memory of 3564	676	NeuraX - Spoofer TEMP.exe	78
PID 676 wrote to memory of 980	676	NeuraX - Spoofer TEMP.exe	79
PID 676 wrote to memory of 980	676	NeuraX - Spoofer TEMP.exe	79
PID 980 wrote to memory of 4296	980	NeuraX - CLeaner.exe	80
PID 980 wrote to memory of 4296	980	NeuraX - CLeaner.exe	80

C:\Users\Admin\AppData\Local\Temp\NeuraX - Spoofer TEMP.exe
"C:\Users\Admin\AppData\Local\Temp\NeuraX - Spoofer TEMP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Roaming\skibidi.exe
  "C:\Users\Admin\AppData\Roaming\skibidi.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Users\Admin\AppData\Roaming\Loader.exe
  "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe
  "C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
60KB

MD5
8d81cb248bc3cabb8f870d305c9da628

SHA1
2faf8b5e88d237198cf3a0d83dce6eeb72df5905

SHA256
864adf43fb7566bc89eddae126babe13e9556d9da44ef4ef6e81484559289ac9

SHA512
c93a22d82719c6da6123fc81caa1b714e828ec14c85931da3890fe548094103f80793c5c1de67af0b93f2d078ee410a10a5b3896ba512b385759ab9dae26a28d

Download Submit
C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe

Filesize
231KB

MD5
c4f0439175ac80f05ffec5da48d45ed4

SHA1
45350dbb06357d1230dba9184f1899d9d737866c

SHA256
a5c3af3b30e50f1202cafd220074543bc956de20186abe3f750163223da4528a

SHA512
ebb6c0c650e051761dad6d969f2da3e433998d5d01d28823fed5652aeb85aaacfbcc6b849d7d4bc01967d9552b9f862b50ced554ab932c12b5b7a683fdc0bfbd

Download Submit
C:\Users\Admin\AppData\Roaming\skibidi.exe

Filesize
57KB

MD5
94d345c8c8058719dfcc325caf73ce94

SHA1
c8ed543bdd54e52f3b6624f5820dd5d2e05e1367

SHA256
e0882f68128a2b2e2aa7b8473d31e47691f8bce2c76dd293dae24bbf8c8a1918

SHA512
deb8b44169b1217f0598ae32b9bc101e04074226630da81239581d51682cd19172e0a9d56fb4a27434fd343b32bcf8fe926a299bad686e2ebdbde2646b88d1dd

Download Submit
memory/676-0-0x00007FFBF2253000-0x00007FFBF2255000-memory.dmp

Filesize
8KB

Download
memory/676-1-0x00000000000F0000-0x0000000000152000-memory.dmp

Filesize
392KB

Download
memory/980-37-0x0000016130610000-0x0000016130650000-memory.dmp

Filesize
256KB

Download
memory/1060-38-0x0000000000050000-0x0000000000064000-memory.dmp

Filesize
80KB

Download
memory/1060-39-0x00007FFBF2250000-0x00007FFBF2D12000-memory.dmp

Filesize
10.8MB

Download
memory/1060-46-0x00007FFBF2250000-0x00007FFBF2D12000-memory.dmp

Filesize
10.8MB

Download
memory/3564-33-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/3564-40-0x00007FFBF2250000-0x00007FFBF2D12000-memory.dmp

Filesize
10.8MB

Download
memory/3564-42-0x00007FFBF2250000-0x00007FFBF2D12000-memory.dmp

Filesize
10.8MB

Download