General
-
Target
0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519
-
Size
229KB
-
Sample
240320-vpehrsdf22
-
MD5
3cf0aadd7a3224eea6a51986d4762872
-
SHA1
b0a6bcb3a6b4fbb45e808b64877dea61500f588a
-
SHA256
0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519
-
SHA512
88a6992e76cfb14d3f0039c3d14efce33aad9f3631f23f2e276d753dedbd032d9e350472877457084070fbbed1f44be8cd116c800ffaf360f21240718226b209
-
SSDEEP
6144:lloZMUrIkd8g+EtXHkv/iD4fOuiiAfboAxUyzzq9wab8e1mWi:noZrL+EP8fOuiiAfboAxUyzzqpg
Behavioral task
behavioral1
Sample
0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519.exe
Resource
win7-20240221-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1215354076070416395/CwG01eqjipZ-wtJblRR97YhlG5NVOLYDULEHAq-3eGYVs_FuLML92YFisYpVszTYHv4j
Targets
-
-
Target
0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519
-
Size
229KB
-
MD5
3cf0aadd7a3224eea6a51986d4762872
-
SHA1
b0a6bcb3a6b4fbb45e808b64877dea61500f588a
-
SHA256
0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519
-
SHA512
88a6992e76cfb14d3f0039c3d14efce33aad9f3631f23f2e276d753dedbd032d9e350472877457084070fbbed1f44be8cd116c800ffaf360f21240718226b209
-
SSDEEP
6144:lloZMUrIkd8g+EtXHkv/iD4fOuiiAfboAxUyzzq9wab8e1mWi:noZrL+EP8fOuiiAfboAxUyzzqpg
-
Detect Umbral payload
-
Detects executables attemping to enumerate video devices using WMI
-
Detects executables containing possible sandbox analysis VM names
-
Detects executables containing possible sandbox analysis VM usernames
-
Detects executables containing possible sandbox system UUIDs
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-