General

  • Target

    CRACKED-V4 (UPD).exe

  • Size

    58.1MB

  • Sample

    240421-qm9tnscd23

  • MD5

    2d3eebbf8c1a46b2f8443982b64ec61a

  • SHA1

    3ed59d3cb1c6c7b91187043a98026de5904f9dd7

  • SHA256

    1361f85f419e83f50a754cd8ca3d2c974eb60f6733dc634d7b74eb2ec63d418f

  • SHA512

    8a3ec42aa1de6e31befd9de6ebba448bfc7d6216615c08740db000787f03a92bc31311718a309a1862bb753bcfc7a0c72a02fe2cc1b5752cd7ded82954cf9db7

  • SSDEEP

    1572864:CRW/tqZfvql5cfSrbpFKCpPI93FvjafI/er3zpAEc34aD:C4/gfvcKSDpuv9eLtANr

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1231217325349539862/UF6Bqsegib1o7XkqaC2yU85lBNFVct0_272MJ_fHEZgoE2JpF2ZBlfNBWwPSL0-KJR4z

Targets

    • Target

      CRACKED-V4 (UPD).exe

    • Size

      58.1MB

    • MD5

      2d3eebbf8c1a46b2f8443982b64ec61a

    • SHA1

      3ed59d3cb1c6c7b91187043a98026de5904f9dd7

    • SHA256

      1361f85f419e83f50a754cd8ca3d2c974eb60f6733dc634d7b74eb2ec63d418f

    • SHA512

      8a3ec42aa1de6e31befd9de6ebba448bfc7d6216615c08740db000787f03a92bc31311718a309a1862bb753bcfc7a0c72a02fe2cc1b5752cd7ded82954cf9db7

    • SSDEEP

      1572864:CRW/tqZfvql5cfSrbpFKCpPI93FvjafI/er3zpAEc34aD:C4/gfvcKSDpuv9eLtANr

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks