General

  • Target

    Umbral.exe

  • Size

    232KB

  • Sample

    240506-n6nz7seb98

  • MD5

    afbe250f9d941daf1fc895e29d0b2821

  • SHA1

    9aeaa55efa56702a0c2694ff2de3a5c6df7b03ac

  • SHA256

    628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6

  • SHA512

    177ddc51032af306d32c0826efddfa3be5e68621b440be764fba7ad37fd982fb58d7e902e4eb258fe50bbd236f82457e45e7d12a885c78314b304e72fb0f2c94

  • SSDEEP

    6144:tloZMDXU9Zx0kt8X0/PSCsMpwpf3tW+x5R0STTKN0b8e1mKISi:voZnf0kkPQwpf3tW+x5R0STTKm2

Malware Config

Extracted

Family

umbral

C2

https://canary.discord.com/api/webhooks/1236998752988823573/NsiSmSiQW8IAMjpG8SIg_6Zkfz_FbtFHloBWpL6PbxmkMA2TAyh0tCrgXWEmC3ZyASfA

Targets

    • Target

      Umbral.exe

    • Size

      232KB

    • MD5

      afbe250f9d941daf1fc895e29d0b2821

    • SHA1

      9aeaa55efa56702a0c2694ff2de3a5c6df7b03ac

    • SHA256

      628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6

    • SHA512

      177ddc51032af306d32c0826efddfa3be5e68621b440be764fba7ad37fd982fb58d7e902e4eb258fe50bbd236f82457e45e7d12a885c78314b304e72fb0f2c94

    • SSDEEP

      6144:tloZMDXU9Zx0kt8X0/PSCsMpwpf3tW+x5R0STTKN0b8e1mKISi:voZnf0kkPQwpf3tW+x5R0STTKm2

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks