General
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
Family
umbral
C2
https://discordapp.com/api/webhooks/1186062061508239390/wfwPZiGPzytybpy8t2Hsp4XOI3B_k0QMNcH-OzuAphqi3y6_IFvyz8BsbHzw84brTS6o
Targets
-
-
Target
https://zelenka.guru/proxy.php?link=https%3A%2F%2Fgofile.io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b2
-
Detect Umbral payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-