General

  • Target

    Newtonsoft.Json.zip

  • Size

    1.5MB

  • Sample

    240503-zh4xashg54

  • MD5

    4ed0fb07a6f6eac3a8393f7e921469ad

  • SHA1

    8a35522ee4037f4118666032ed19372a2d082a0c

  • SHA256

    b7f491f401f7e55c8120d87d7f36eded59ca86e48b91dc7612df915c5fbdd755

  • SHA512

    4452efaa59883a32925d66c025dc50d099d09e1539e0e378da7dfdcd62228e910ed9471efa4e53341ce4df339c0e6f1fb92e70e86542dd0ff6c275607014611a

  • SSDEEP

    24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhK+kUQh4zvoUSr03:vkPAL2ZYMYp0BQ2PhU477SU

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1236047504458518648/JQRxvzCGg9gVDBGAsCh4Y7lt6-VpyZJcpy_w2pc8Qwt0sZVsg3Znypp4Lv0kPFzHxpM9

Targets

    • Target

      Newtonsoft.Json.zip

    • Size

      1.5MB

    • MD5

      4ed0fb07a6f6eac3a8393f7e921469ad

    • SHA1

      8a35522ee4037f4118666032ed19372a2d082a0c

    • SHA256

      b7f491f401f7e55c8120d87d7f36eded59ca86e48b91dc7612df915c5fbdd755

    • SHA512

      4452efaa59883a32925d66c025dc50d099d09e1539e0e378da7dfdcd62228e910ed9471efa4e53341ce4df339c0e6f1fb92e70e86542dd0ff6c275607014611a

    • SSDEEP

      24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhK+kUQh4zvoUSr03:vkPAL2ZYMYp0BQ2PhU477SU

    Score
    1/10
    • Target

      Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    • Target

      Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    • Target

      Newtonsoft.Json.xml

    • Size

      696KB

    • MD5

      d398ffe9fdac6a53a8d8bb26f29bbb3c

    • SHA1

      bffceebb85ca40809e8bcf5941571858e0e0cb31

    • SHA256

      79ee87d4ede8783461de05b93379d576f6e8575d4ab49359f15897a854b643c4

    • SHA512

      7db8aac5ff9b7a202a00d8acebce85df14a7af76b72480921c96b6e01707416596721afa1fa1a9a0563bf528df3436155abc15687b1fee282f30ddcc0ddb9db7

    • SSDEEP

      6144:XqqU+k/Rik5aG0rH3jGHdl0/IdHXpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DU1

    Score
    1/10
    • Target

      RocketTitles.exe

    • Size

      464KB

    • MD5

      f11a1e49b2e53e4ad13c68c049d69c1f

    • SHA1

      26fca9e7cdd2deb0a085597eaacc96d5f96e88a8

    • SHA256

      81ba1eb0965ae6b7755e79a5d8ad19cb9ece2ba87e5e25cd718fe722c1c277e1

    • SHA512

      932b02adc97750357b95d59dfe41e8d414690c0a8437e2c1bcb5ff6bde913639a3145371837ba7a570508e06f1282a12925fe0b10ebf04ee550fb5590ba3977c

    • SSDEEP

      12288:MMms0Qz3DUyTfvqCT/4k2QjqGpNBOewDlJ:MfsjDR3qCr4khqGrUtDlJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      RocketTitles.exe.config

    • Size

      189B

    • MD5

      9dbad5517b46f41dbb0d8780b20ab87e

    • SHA1

      ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

    • SHA256

      47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

    • SHA512

      43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

    Score
    3/10
    • Target

      RocketTitles.pdb

    • Size

      177KB

    • MD5

      896ae4b971bff3190dc0019d49476a31

    • SHA1

      05434f3ef5d3d0151a90867b3a6f41e1298d30d8

    • SHA256

      cc554efe3221c48d662541b582e49f9da84b8f5ac6e10c3eee95955ef20219dc

    • SHA512

      9cff0e126c3179c4c5dac3e69190268980bae75addb391e9e967e71feda99d7518c1dd84740ac68ffb56207bdbdcf1399b2307200b74c490c283288f5fa9120f

    • SSDEEP

      3072:4RpMYTwqWl1ULDHNl/CIqNIPC0QFzTsS00ryNiaCcIPF0QFzTsS00ryIi:UTwZl1GDHNlqIqNIPC0QFzTsS00ryCcJ

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks