General
-
Target
Excess_nls.scr
-
Size
247KB
-
Sample
240510-darq4sef2z
-
MD5
7435510d618cc836b23a1bb1791b67b2
-
SHA1
1428f359a72436dc70e288963d6fb04387e94bd4
-
SHA256
28b8e4f41d9f11d19a188dc903d3a8d37a643d5e3d61b260ddc01a4fd475b91d
-
SHA512
5ccc5f49c7752d5367b4e7e4a858ac462e06a7eed7231b8dd96c8c441290e99e71fda3eaffec808656e7a3030c9cf476fc144a102a4ef373d7f184d40fdcfd7b
-
SSDEEP
6144:bloZM+rIkd8g+EtXHkv/iD46UsziAfboMxUyzzqG2b8e1mWuFeiQfWsy:5oZtL+EP86UsziAfboMxUyzzq9futQf
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1238178545021223043/3ZwoReIQJSAQr16Af1BPQ_NiaK5GtGr7sxQn3Lgc4WKZeQw7NFQBrtoUb7cgT9HvE0v4
Targets
-
-
Target
Excess_nls.scr
-
Size
247KB
-
MD5
7435510d618cc836b23a1bb1791b67b2
-
SHA1
1428f359a72436dc70e288963d6fb04387e94bd4
-
SHA256
28b8e4f41d9f11d19a188dc903d3a8d37a643d5e3d61b260ddc01a4fd475b91d
-
SHA512
5ccc5f49c7752d5367b4e7e4a858ac462e06a7eed7231b8dd96c8c441290e99e71fda3eaffec808656e7a3030c9cf476fc144a102a4ef373d7f184d40fdcfd7b
-
SSDEEP
6144:bloZM+rIkd8g+EtXHkv/iD46UsziAfboMxUyzzqG2b8e1mWuFeiQfWsy:5oZtL+EP86UsziAfboMxUyzzq9futQf
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-