General

  • Target

    solara3.1.zip

  • Size

    93KB

  • Sample

    240520-mh46vafd42

  • MD5

    067524d2b7c1e7575b1ff841b854e55e

  • SHA1

    2253f3710d8641c262d232dcf31b9e8234c04026

  • SHA256

    2df439e8c9ee999f550f555e938904fcc435aa9836fbb6c962c41d8b99002c50

  • SHA512

    adb6e1dbe47a78e0c828b886a9d34d125e8fb7724d63d27a717fff878b399de12a1ca94d5c9f935c168aead1c0f1bed407e869bca9cab5aa0f85d651463e317a

  • SSDEEP

    1536:nRFNh4zuKupSGyhUnVMaOBNkTCcQ86gAAaV7O6pwK9nTx/nR7sdDHtFo15F8S41y:nnz4nGyhUCa1TS/A266b/nR7SNWd8H1y

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1218996541960753294/boru4OIiPZlcyQ-ZGV0nkmj3mwQ4Plfv_FNHDZjSkufOGGGnNhBMqMsXP44o9KmN4QSW

Targets

    • Target

      solara3.1.exe

    • Size

      231KB

    • MD5

      7340ffe16733c99a8f1904d4594951d6

    • SHA1

      1522dc62d3f4658d50f48739eb9657f4b736be3d

    • SHA256

      b5f99328387778a288470830b0e6aaaf401a55c23cd042e2a78041e10ea343b1

    • SHA512

      9d8bc3b2476c0b9499762f9cff98b3df0ef9d478f976f74a30c534fd2d09b2e14883db6c5485b5df6a9e527b5945c12f326ecc1eb4fae54c1561a0159a086245

    • SSDEEP

      6144:RloZM3fsXtioRkts/cnnK6cMlXrLwEKtFudr20VJgkTb8e1mCi:joZ1tlRk83MlXrLwEKtFudr20VJgek

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks