General

  • Target

    Baff-Client.exe

  • Size

    2.5MB

  • Sample

    240430-wwtrpsee96

  • MD5

    9fd0f7db06bff594211a07bf5a8d0c5f

  • SHA1

    16d1c8cbf0e88d6f3072496e2cf2e23aa9a8b73c

  • SHA256

    c2fe031b82902573e409659f73e1dd19ac2ce404bcc6d15d2f2d41f5988294b6

  • SHA512

    d7d1cd5ca652c7a503f71c0f2f606ee8f71ea88b65d2cfebae65e794134bead7612c4684967a2d5f514aaebb0d4aa7eecb74ca8910536e656bcc65cfcaa18c27

  • SSDEEP

    49152:9u+uYrkM0Xfv7AMVjp96KqkQQ/+MPZrzru8Rtw:9pE7X6KqJoVvu8

Malware Config

Targets

    • Target

      Baff-Client.exe

    • Size

      2.5MB

    • MD5

      9fd0f7db06bff594211a07bf5a8d0c5f

    • SHA1

      16d1c8cbf0e88d6f3072496e2cf2e23aa9a8b73c

    • SHA256

      c2fe031b82902573e409659f73e1dd19ac2ce404bcc6d15d2f2d41f5988294b6

    • SHA512

      d7d1cd5ca652c7a503f71c0f2f606ee8f71ea88b65d2cfebae65e794134bead7612c4684967a2d5f514aaebb0d4aa7eecb74ca8910536e656bcc65cfcaa18c27

    • SSDEEP

      49152:9u+uYrkM0Xfv7AMVjp96KqkQQ/+MPZrzru8Rtw:9pE7X6KqJoVvu8

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Creates new service(s)

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks