General

  • Target

    start.dll.exe

  • Size

    232KB

  • Sample

    240522-rq95aaec8s

  • MD5

    ec6f1481d7bb030213e34efe0590f54b

  • SHA1

    f3e453c2534a88bea7da27043a781e3eb8650e90

  • SHA256

    bb8117f1bf2b6af1409762f7959448c15f7cad6a3ad5c8cf484da64fe1dcafc0

  • SHA512

    9284b5f85a730c70c7a88a70751d1e20bce7eb7d55d98f808e8cbab83e3f36df87e344091de5b04c0738cad47569d704cf5537e1e40ad50cc73508b8bff16fc0

  • SSDEEP

    6144:tloZM3fsXtioRkts/cnnK6cMl3kOA4+ZRSZ3qCDjaI1/b8e1mWi:voZ1tlRk83Ml3kOA4+ZRSZ3qCDjaoc

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1228330512779579403/5toLS2_FpTV6Z6cML4nCtldtoZ7YWCs6aBHnNRbgdRXBePNjv7RtNfYJUtf0pkvhRqT-

Targets

    • Target

      start.dll.exe

    • Size

      232KB

    • MD5

      ec6f1481d7bb030213e34efe0590f54b

    • SHA1

      f3e453c2534a88bea7da27043a781e3eb8650e90

    • SHA256

      bb8117f1bf2b6af1409762f7959448c15f7cad6a3ad5c8cf484da64fe1dcafc0

    • SHA512

      9284b5f85a730c70c7a88a70751d1e20bce7eb7d55d98f808e8cbab83e3f36df87e344091de5b04c0738cad47569d704cf5537e1e40ad50cc73508b8bff16fc0

    • SSDEEP

      6144:tloZM3fsXtioRkts/cnnK6cMl3kOA4+ZRSZ3qCDjaI1/b8e1mWi:voZ1tlRk83Ml3kOA4+ZRSZ3qCDjaoc

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks