General
-
Target
CheatCheck.exe
-
Size
1.9MB
-
Sample
240215-y2lpdsgb28
-
MD5
f5180bd1bede58236ddd37276403c888
-
SHA1
919b6b47635e81a1f0f2637f89902fc9563387cd
-
SHA256
e00d8a4b001935fb2c6cbedf9300e364ed6bdfd29158e04dbdedb018c4a6878a
-
SHA512
cebec5ea8762f1aaee9884a46d3cf7d7d138dfc25240f5da1216cdcfdc32d0f5f47b677674837b178735eec2794227c7af7a85352501e8387fa7e06c7d1a6244
-
SSDEEP
49152:62YU+sjELQXoeysHa6/3pKJz6lRusCofRVg6PJuL68l:62JT5G6/pKocsC6geJuG
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1205950589855473715/yMBp6zJGAY_8GNy4KCuGaBheW78ZyPBH6wBshmsyIHWe3bpwN-cogn3qrbzWQQLDF5nC
Targets
-
-
Target
CheatCheck.exe
-
Size
1.9MB
-
MD5
f5180bd1bede58236ddd37276403c888
-
SHA1
919b6b47635e81a1f0f2637f89902fc9563387cd
-
SHA256
e00d8a4b001935fb2c6cbedf9300e364ed6bdfd29158e04dbdedb018c4a6878a
-
SHA512
cebec5ea8762f1aaee9884a46d3cf7d7d138dfc25240f5da1216cdcfdc32d0f5f47b677674837b178735eec2794227c7af7a85352501e8387fa7e06c7d1a6244
-
SSDEEP
49152:62YU+sjELQXoeysHa6/3pKJz6lRusCofRVg6PJuL68l:62JT5G6/pKocsC6geJuG
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-