General
-
Target
https://cdn.discordapp.com/attachments/1128768775949389844/1170554457503838258/ConsoleApplication1_protected.exe?ex=655976ca&is=654701ca&hm=9359f9c36307ef7f4d225a9451f15ee3d8fc911ca490483440dc9abb34ffe355&
-
Sample
231105-c84mwsbh36
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1170536634891128902/hdNxkvpSxRXfW2ouud2imDE8eFbcAfoi3fBBxpcoRyxI8E-rxHT7NHLuI-Q-ThYq7M3H
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1128768775949389844/1170554457503838258/ConsoleApplication1_protected.exe?ex=655976ca&is=654701ca&hm=9359f9c36307ef7f4d225a9451f15ee3d8fc911ca490483440dc9abb34ffe355&
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Detected potential entity reuse from brand microsoft.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-