General

  • Target

    Pookies Bypasser.exe

  • Size

    229KB

  • Sample

    240511-pmq6wsag93

  • MD5

    5dcae9f331eabd47b8a078fad0f812c8

  • SHA1

    39baa462feac529cc7d907a9bc7028444748992e

  • SHA256

    6594aa4b2efc8137b453fe978ae2ff5ae6f055e4d79539fa4804933e208ffdf4

  • SHA512

    3ae8037c1bb7e48a2e0d1d8a06faba35bd998c6dda8f5c8dbe8a7cfae51e8c5f8ce6da3ba379a8690549a6bb5b2c9ef05b703aa34eaeabdc9ebb952dc083d756

  • SSDEEP

    6144:VloZM+rIkd8g+EtXHkv/iD4S2eNiAfboSxUyzzqbKb8e1mri:3oZtL+EP8S2eNiAfboSxUyzzqyZ

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1238573290897805363/rEn2kuwhqAY8-wzK_hJfcoX6uIKlS9BrmN1CZytvMBmT8owPn9R_GNCKYmm1J867GYYX

Targets

    • Target

      Pookies Bypasser.exe

    • Size

      229KB

    • MD5

      5dcae9f331eabd47b8a078fad0f812c8

    • SHA1

      39baa462feac529cc7d907a9bc7028444748992e

    • SHA256

      6594aa4b2efc8137b453fe978ae2ff5ae6f055e4d79539fa4804933e208ffdf4

    • SHA512

      3ae8037c1bb7e48a2e0d1d8a06faba35bd998c6dda8f5c8dbe8a7cfae51e8c5f8ce6da3ba379a8690549a6bb5b2c9ef05b703aa34eaeabdc9ebb952dc083d756

    • SSDEEP

      6144:VloZM+rIkd8g+EtXHkv/iD4S2eNiAfboSxUyzzqbKb8e1mri:3oZtL+EP8S2eNiAfboSxUyzzqyZ

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks