General
-
Target
https://cdn.discordapp.com/attachments/1162528692199760003/1170231677122002954/Generator_For_evrything.exe?ex=65584a2d&is=6545d52d&hm=f33bc8b1f1cc533cfdd17aa3259f0d5f5c10af7db32b4a92df10012c98b6c252&
-
Sample
231104-f3d2tscf31
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1168013009873014824/PeLMu06lSpxirxupjlOHtuMtDLUJuyAIuSnIU6YUE-0FoT6J7y8XrmENWe2xoplSJo2R
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1162528692199760003/1170231677122002954/Generator_For_evrything.exe?ex=65584a2d&is=6545d52d&hm=f33bc8b1f1cc533cfdd17aa3259f0d5f5c10af7db32b4a92df10012c98b6c252&
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-