General

  • Target

    release.exe

  • Size

    234KB

  • Sample

    240502-nmwkyafh6v

  • MD5

    d3b91f66624b3bc4d6fdc49e7ed650e8

  • SHA1

    cbe16636131cd52582078775d46f309c4f3a6164

  • SHA256

    2b49183d5f11acec481c4de2bbf9f7059f2a99137c0d26852be34a8a992275c8

  • SHA512

    c2215aa8a089c26bd45f96673ce165bf1e9c937a0b54742e4b01c6f79165f5875ef5e7bde86b80d988e38d2379cab14ac3aef920a3844bb09a51f7eacd8a6f10

  • SSDEEP

    6144:HloZM+rIkd8g+EtXHkv/iD4evkQrRiK1rwBzOur8lb8e1mTYaij:FoZtL+EP8evkQrRiK1rwBzOurcFf

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1226211633320427650/4AB_r-5Q7D5mN9GdOOKvjGMNmRsdPpYO-7d78Olf6h-fyJtK4mRcK7fbSJG7ran98sbf

Targets

    • Target

      release.exe

    • Size

      234KB

    • MD5

      d3b91f66624b3bc4d6fdc49e7ed650e8

    • SHA1

      cbe16636131cd52582078775d46f309c4f3a6164

    • SHA256

      2b49183d5f11acec481c4de2bbf9f7059f2a99137c0d26852be34a8a992275c8

    • SHA512

      c2215aa8a089c26bd45f96673ce165bf1e9c937a0b54742e4b01c6f79165f5875ef5e7bde86b80d988e38d2379cab14ac3aef920a3844bb09a51f7eacd8a6f10

    • SSDEEP

      6144:HloZM+rIkd8g+EtXHkv/iD4evkQrRiK1rwBzOur8lb8e1mTYaij:FoZtL+EP8evkQrRiK1rwBzOurcFf

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks