General
-
Target
PrimeN1troGenerator.exe
-
Size
214KB
-
Sample
240520-cvefvafh5w
-
MD5
8bd85b95fd1ac8e340c767285a07fdb9
-
SHA1
a7078c6bc3bce43e55d276f5a3af06b6be5e239d
-
SHA256
52a259a701bb38e3770cbdd87af27124ea6f1821bcea69dab859391e8ab8e84c
-
SHA512
ef778acec8a979a4a17f10ffdbb0c31f5b4dd8e2293ffa3f99624cbc21b892577aaaf9917603b0e9be0818e930ff6b4f51a5e67aab576e6ee67f281fa91be66e
-
SSDEEP
3072:GlP/chtWkOIGSuvD6vdnsUSaC7liDDxIfbw44lllllj02cgSl8eN7b0JX8OZnXT8:+cyHIGodsUS7eDajb8eNH5OZD
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1239128191910543402/7bs3_j5w3Xe1_L8A7FX6pzZ8qsyJc_6VqvKD2KyMK_IdQSU6u78PNAgemXSvcI25pwY2
Targets
-
-
Target
PrimeN1troGenerator.exe
-
Size
214KB
-
MD5
8bd85b95fd1ac8e340c767285a07fdb9
-
SHA1
a7078c6bc3bce43e55d276f5a3af06b6be5e239d
-
SHA256
52a259a701bb38e3770cbdd87af27124ea6f1821bcea69dab859391e8ab8e84c
-
SHA512
ef778acec8a979a4a17f10ffdbb0c31f5b4dd8e2293ffa3f99624cbc21b892577aaaf9917603b0e9be0818e930ff6b4f51a5e67aab576e6ee67f281fa91be66e
-
SSDEEP
3072:GlP/chtWkOIGSuvD6vdnsUSaC7liDDxIfbw44lllllj02cgSl8eN7b0JX8OZnXT8:+cyHIGodsUS7eDajb8eNH5OZD
-
Detect Umbral payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-