General

  • Target

    0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519

  • Size

    229KB

  • Sample

    240320-vpehrsdf22

  • MD5

    3cf0aadd7a3224eea6a51986d4762872

  • SHA1

    b0a6bcb3a6b4fbb45e808b64877dea61500f588a

  • SHA256

    0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519

  • SHA512

    88a6992e76cfb14d3f0039c3d14efce33aad9f3631f23f2e276d753dedbd032d9e350472877457084070fbbed1f44be8cd116c800ffaf360f21240718226b209

  • SSDEEP

    6144:lloZMUrIkd8g+EtXHkv/iD4fOuiiAfboAxUyzzq9wab8e1mWi:noZrL+EP8fOuiiAfboAxUyzzqpg

Score
10/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1215354076070416395/CwG01eqjipZ-wtJblRR97YhlG5NVOLYDULEHAq-3eGYVs_FuLML92YFisYpVszTYHv4j

Targets

    • Target

      0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519

    • Size

      229KB

    • MD5

      3cf0aadd7a3224eea6a51986d4762872

    • SHA1

      b0a6bcb3a6b4fbb45e808b64877dea61500f588a

    • SHA256

      0270d5596c31ec92bb6eaacb220ef3ac5ee8e1df60d38e46b8d1b7b5b2a9b519

    • SHA512

      88a6992e76cfb14d3f0039c3d14efce33aad9f3631f23f2e276d753dedbd032d9e350472877457084070fbbed1f44be8cd116c800ffaf360f21240718226b209

    • SSDEEP

      6144:lloZMUrIkd8g+EtXHkv/iD4fOuiiAfboAxUyzzq9wab8e1mWi:noZrL+EP8fOuiiAfboAxUyzzqpg

    Score
    10/10
    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Detects executables attemping to enumerate video devices using WMI

    • Detects executables containing possible sandbox analysis VM names

    • Detects executables containing possible sandbox analysis VM usernames

    • Detects executables containing possible sandbox system UUIDs

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks