General

  • Target

    2784277bd68152abf75c6c6d59fab7af.bin

  • Size

    2.3MB

  • Sample

    240422-bhm2sadd45

  • MD5

    6289fc334a891dafe795b29a6ab0651e

  • SHA1

    c8455171cf69b5d788a49027999e647e99de8784

  • SHA256

    f7f0d4807d0f122eb51a61e3e3899f141a0cbd89c51515dd6216053df160fa9c

  • SHA512

    efeebc73a253107821971efa3e999fa5227e544833ac980a5b8988ee2246cb38db69439dce6508ec34f09e9919995a4282bf18bd5ad1cba081c255fb81e88dc3

  • SSDEEP

    49152:7HY7ZV4HSlHLySg9UBnUppNKDT0yUl/a10CnAulo8dq7gS:7HY7ZqQeD9U4KDIHmrJqkS

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-

Targets

    • Target

      737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe

    • Size

      2.3MB

    • MD5

      2784277bd68152abf75c6c6d59fab7af

    • SHA1

      e1d047c97e3bdfe273b215b42eccde32ca2ca63f

    • SHA256

      737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc

    • SHA512

      e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c

    • SSDEEP

      49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • AgentTesla payload

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks