umbral

General

Target

obxod266dev.exe
Size

329KB
Sample

250223-mrrl4stnbm
MD5

31fc82eeaed45f2389b57ffb9d8f6ea2
SHA1

fd46d4e307b09a372a3bfc0d88b87eeccaf77912
SHA256

dc7f8c7c39bb043da2c19a03504c499e0af367fefee810a8190c1119992e2248
SHA512

418bca3b27a8354e559de8e1333ebc8ff42a5d4f07b42a0ec95775c9a52feb1d61a00006ceefef3be8e30dc07c0fb3123440413a2b16d8d9cc6e468cb9d5c962
SSDEEP

6144:3aDaK7MooumCpZSApAWl2IenY7YDlw+JmS1r8+CMCX:3LK7sk2IKYkp/mYPCX

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1342862584386420817/8iDLBPWkMbkgW0Lx9Tlnezr6EGJYKsdRBZ8GJHI66h0NchvKorRU-U6oiQsKR-OZeqD9

Extracted

Family

xworm

C2

25.ip.gl.ply.gg:59054

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  obxod266dev.exe
- Size
  
  329KB
- MD5
  
  31fc82eeaed45f2389b57ffb9d8f6ea2
- SHA1
  
  fd46d4e307b09a372a3bfc0d88b87eeccaf77912
- SHA256
  
  dc7f8c7c39bb043da2c19a03504c499e0af367fefee810a8190c1119992e2248
- SHA512
  
  418bca3b27a8354e559de8e1333ebc8ff42a5d4f07b42a0ec95775c9a52feb1d61a00006ceefef3be8e30dc07c0fb3123440413a2b16d8d9cc6e468cb9d5c962
- SSDEEP
  
  6144:3aDaK7MooumCpZSApAWl2IenY7YDlw+JmS1r8+CMCX:3LK7sk2IKYkp/mYPCX
Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan discovery
- Detect Umbral payload
- Detect Xworm Payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5