Overview

overview

10

Static

static

3

87fdd33373...95.exe

windows7-x64

10

87fdd33373...95.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6850a8c541b310a2f4a5cd88352856a3.bin

  • Size

    3.0MB

  • Sample

    240701-cg91lasgna

  • MD5

    1a6dc41dd636c557f429cba39dc89523

  • SHA1

    b6c93a3edc5220b50eede100dc4845f900ab9513

  • SHA256

    98d19ece6f9d50124465ab6c1eef845659aada6c62d3e32a2b75b487cf4efdda

  • SHA512

    03831e116fb62aa2eef55edc24c9e6ac992927eb1d4be87a724c2d8a56e8ddaef5a3167a7eaaca943540cdb5d49a78ab3048c719f5a2a56b543c697bd17525d5

  • SSDEEP

    49152:1efeAXBcD2lQZbv2efusucA5xlODW7lLcj2Kw3sPqcnGUCkvolDspXrv8R:4fe6pSSef9HAPkDELlsDGUrvolDsxI

Score
10/10
umbralxmrigxwormevasionexecutionminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1252172365647974441/4gQlLrJt2VtCn71LmsFuTifq4qn3SRnlOC0k8H5iaa8g2BlP4YuRr9feLLYTpIHpdtxd

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223
Mutex

rVUJpGK3xHCE778M

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain

Targets

    • Target

      87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

    • Size

      3.0MB

    • MD5

      6850a8c541b310a2f4a5cd88352856a3

    • SHA1

      372ff19e90cec46e37797b343fe6f537116b4aae

    • SHA256

      87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

    • SHA512

      924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa

    • SSDEEP

      49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

    Score
    10/10
    umbralxmrigxwormevasionexecutionminerpersistenceratstealertrojanupxspyware

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks