General

  • Target

    https://cdn.discordapp.com/attachments/1228830370326249553/1228830718818517103/KrampusCrk-ByAnt4c.rar?ex=662d78c9&is=661b03c9&hm=356a4c85bed61285b3230317537cc823ce0d2f891d20b00421d416b0cda0b87e&

  • Sample

    240413-155b1sdg3y

Score
10/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1227683059114049609/J-NRozb82rWMygV4-7Yy0RMllueaLQzhGa-3Da0fHcUN49PnTuKYn0Czl7gR_VfWxkpx

Targets

    • Target

      https://cdn.discordapp.com/attachments/1228830370326249553/1228830718818517103/KrampusCrk-ByAnt4c.rar?ex=662d78c9&is=661b03c9&hm=356a4c85bed61285b3230317537cc823ce0d2f891d20b00421d416b0cda0b87e&

    Score
    10/10
    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks