Overview

overview

10

Static

static

10

P o o k i ... r.exe

windows7-x64

10

P o o k i ... r.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    P o o k i e s L o a d e r.exe

  • Size

    232KB

  • Sample

    240511-zvrgqsha6y

  • MD5

    bc4368699114c45e9d4f751837467fdb

  • SHA1

    5f64e94c27dd0240c2604c6f9d8a746b5ce85e1a

  • SHA256

    11e30517a0f8838c940b35303a73b7b613c87e7aa9d8646c2e1877fae9450099

  • SHA512

    236879a4518e0ce1e1dade295933c78930171c0865cb9b539551fb6d1f1bdc68940b7e4ef6bc29966962eb0be2a13950722959f94d687c33293b7d4058f6e2b6

  • SSDEEP

    6144:mloZM+rIkd8g+EtXHkv/iD41oIOmkrHM09YW3X2Hgb8e1m9+ik:QoZtL+EP81oIOmkrHM09YW3X2o+zk

Score
10/10
umbralexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1238951096227987546/w84ViGgetiPQtgPw-Bi9kuD9R1fRcowzO1NR8xy__rM9JanXq8ky_OxQMczblV7zYocq

Targets

    • Target

      P o o k i e s L o a d e r.exe

    • Size

      232KB

    • MD5

      bc4368699114c45e9d4f751837467fdb

    • SHA1

      5f64e94c27dd0240c2604c6f9d8a746b5ce85e1a

    • SHA256

      11e30517a0f8838c940b35303a73b7b613c87e7aa9d8646c2e1877fae9450099

    • SHA512

      236879a4518e0ce1e1dade295933c78930171c0865cb9b539551fb6d1f1bdc68940b7e4ef6bc29966962eb0be2a13950722959f94d687c33293b7d4058f6e2b6

    • SSDEEP

      6144:mloZM+rIkd8g+EtXHkv/iD41oIOmkrHM09YW3X2Hgb8e1m9+ik:QoZtL+EP81oIOmkrHM09YW3X2o+zk

    Score
    10/10
    umbralexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks