General
-
Target
Umbral.exe
-
Size
229KB
-
Sample
240503-y3zmmshd26
-
MD5
dd294f4a30b78637d2de6ae794442508
-
SHA1
2f28200fb482bb7f280ecde35070b8bf181900ef
-
SHA256
a89f3d297cbac8b605cd554dd0ea7891c7fcff9e63c7c22810d1c8121fd128b1
-
SHA512
cc4343ab3d9dc6f6eb8312a28df24442280144d3c54fe3fca65412b6285ae98c264a67a70a86b1fd73418bee535ea5adbe968e7b48a40ad833beaabf459d7bf5
-
SSDEEP
6144:1loZMLrIkd8g+EtXHkv/iD4n9ruuMzvERlwOffu2/b8e1mR6i:XoZ0L+EP8n9ruuMzvERlwOffuYK
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1236047504458518648/JQRxvzCGg9gVDBGAsCh4Y7lt6-VpyZJcpy_w2pc8Qwt0sZVsg3Znypp4Lv0kPFzHxpM9
Targets
-
-
Target
Umbral.exe
-
Size
229KB
-
MD5
dd294f4a30b78637d2de6ae794442508
-
SHA1
2f28200fb482bb7f280ecde35070b8bf181900ef
-
SHA256
a89f3d297cbac8b605cd554dd0ea7891c7fcff9e63c7c22810d1c8121fd128b1
-
SHA512
cc4343ab3d9dc6f6eb8312a28df24442280144d3c54fe3fca65412b6285ae98c264a67a70a86b1fd73418bee535ea5adbe968e7b48a40ad833beaabf459d7bf5
-
SSDEEP
6144:1loZMLrIkd8g+EtXHkv/iD4n9ruuMzvERlwOffu2/b8e1mR6i:XoZ0L+EP8n9ruuMzvERlwOffuYK
-
Detect Umbral payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-