Extracted

Extracted

• • Target

    obxod266dev.exe

  • Size

    329KB

  • MD5

    31fc82eeaed45f2389b57ffb9d8f6ea2

  • SHA1

    fd46d4e307b09a372a3bfc0d88b87eeccaf77912

  • SHA256

    dc7f8c7c39bb043da2c19a03504c499e0af367fefee810a8190c1119992e2248

  • SHA512

    418bca3b27a8354e559de8e1333ebc8ff42a5d4f07b42a0ec95775c9a52feb1d61a00006ceefef3be8e30dc07c0fb3123440413a2b16d8d9cc6e468cb9d5c962

  • SSDEEP

    6144:3aDaK7MooumCpZSApAWl2IenY7YDlw+JmS1r8+CMCX:3LK7sk2IKYkp/mYPCX

  Score

  10^/10

  umbralxwormexecutionpersistenceratstealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2behavioral3behavioral4behavioral5