General

  • Target

    AIMWARЕ.exe

  • Size

    231KB

  • Sample

    240526-kstfzsch6x

  • MD5

    6a5855afed7e8dfd5585fb9974325ed4

  • SHA1

    ed1d76c631c6f759bafc3ad95d9a44d2aea1421b

  • SHA256

    8ab8fc29e1ebd9b904d65813e7b33520a132dbec055d5c4cf8f101f67381174b

  • SHA512

    78c96cd5c9121cbcae1963d867182285f0aed92dab17e350c0b268278793370a78cac35de9b0b6014573f9a1d7d19af0a8441037fb43bd90d800775492c91583

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4Nh6KywvrY6hkijD6Hg+lI8e1msAi:joZtL+EP8X6KywvrY6hkijD6d4jZ

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1234186783038767154/bfD8b739yPwVGaoq7IAOBItMUvfGQedSEolOJv2mG5JuLedrXSPNeas8U-wg2Y3P3XBu

Targets

    • Target

      AIMWARЕ.exe

    • Size

      231KB

    • MD5

      6a5855afed7e8dfd5585fb9974325ed4

    • SHA1

      ed1d76c631c6f759bafc3ad95d9a44d2aea1421b

    • SHA256

      8ab8fc29e1ebd9b904d65813e7b33520a132dbec055d5c4cf8f101f67381174b

    • SHA512

      78c96cd5c9121cbcae1963d867182285f0aed92dab17e350c0b268278793370a78cac35de9b0b6014573f9a1d7d19af0a8441037fb43bd90d800775492c91583

    • SSDEEP

      6144:RloZM+rIkd8g+EtXHkv/iD4Nh6KywvrY6hkijD6Hg+lI8e1msAi:joZtL+EP8X6KywvrY6hkijD6d4jZ

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks