umbral

General

Target

NeuraX-SpooferTEMP.exe
Size

368KB
Sample

250220-h9vdhazjcz
MD5

35c6f16313a956763c7402b49499b1f9
SHA1

8f12a11413044b39cdd626be408aaae50254e4a5
SHA256

d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e
SHA512

fa16a5e069f5c0133674c5d3a515162a43c68cb619cf646b499fbd20b66dbc50a1dcd38003eeaa9335a95d432a8aa5bca1d0d6814011007d46b80e9556331cac
SSDEEP

6144:/3KWL1LMxGp99JRlnzN6gqoZ7zms0oXgd6TKU6EKKXclsBGlDstmvcHcI0us:/PLMxGpPJvzNZZ7iqgoTR2+ED0m0Hc6

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:3913

purpose-perth.gl.at.ply.gg:3913

127.0.0.1:14182

figure-cement.gl.at.ply.gg:14182

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1339055156502986883/hV7TgqQ9AafNGFGpp7dC-W403JrFQJgWGzHFHp2kf7TXQCcWELY6esk8kBXS_EYrIukR

Targets

- Target
  
  NeuraX-SpooferTEMP.exe
- Size
  
  368KB
- MD5
  
  35c6f16313a956763c7402b49499b1f9
- SHA1
  
  8f12a11413044b39cdd626be408aaae50254e4a5
- SHA256
  
  d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e
- SHA512
  
  fa16a5e069f5c0133674c5d3a515162a43c68cb619cf646b499fbd20b66dbc50a1dcd38003eeaa9335a95d432a8aa5bca1d0d6814011007d46b80e9556331cac
- SSDEEP
  
  6144:/3KWL1LMxGp99JRlnzN6gqoZ7zms0oXgd6TKU6EKKXclsBGlDstmvcHcI0us:/PLMxGpPJvzNZZ7iqgoTR2+ED0m0Hc6
Score

10^/10

umbral xworm rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Umbral payload

Detect Xworm Payload

Umbral family

Xworm

Xworm family

Checks computer location settings

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2