General

  • Target

    Umbral.exe

  • Size

    229KB

  • Sample

    240503-y3zmmshd26

  • MD5

    dd294f4a30b78637d2de6ae794442508

  • SHA1

    2f28200fb482bb7f280ecde35070b8bf181900ef

  • SHA256

    a89f3d297cbac8b605cd554dd0ea7891c7fcff9e63c7c22810d1c8121fd128b1

  • SHA512

    cc4343ab3d9dc6f6eb8312a28df24442280144d3c54fe3fca65412b6285ae98c264a67a70a86b1fd73418bee535ea5adbe968e7b48a40ad833beaabf459d7bf5

  • SSDEEP

    6144:1loZMLrIkd8g+EtXHkv/iD4n9ruuMzvERlwOffu2/b8e1mR6i:XoZ0L+EP8n9ruuMzvERlwOffuYK

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1236047504458518648/JQRxvzCGg9gVDBGAsCh4Y7lt6-VpyZJcpy_w2pc8Qwt0sZVsg3Znypp4Lv0kPFzHxpM9

Targets

    • Target

      Umbral.exe

    • Size

      229KB

    • MD5

      dd294f4a30b78637d2de6ae794442508

    • SHA1

      2f28200fb482bb7f280ecde35070b8bf181900ef

    • SHA256

      a89f3d297cbac8b605cd554dd0ea7891c7fcff9e63c7c22810d1c8121fd128b1

    • SHA512

      cc4343ab3d9dc6f6eb8312a28df24442280144d3c54fe3fca65412b6285ae98c264a67a70a86b1fd73418bee535ea5adbe968e7b48a40ad833beaabf459d7bf5

    • SSDEEP

      6144:1loZMLrIkd8g+EtXHkv/iD4n9ruuMzvERlwOffu2/b8e1mR6i:XoZ0L+EP8n9ruuMzvERlwOffuYK

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks