General

  • Target

    Umbral.exe

  • Size

    231KB

  • Sample

    240526-wkqwnsfe88

  • MD5

    e9e39a33854ca8af45f6048dd49f265b

  • SHA1

    d19011ba34adf3135335aa9839d24e1b5c5dde71

  • SHA256

    e5da8ebc635776269ddceed41b6b6c0860071dafbe121b3fa17e63d01effd26c

  • SHA512

    703fdc9b9d086329a7273138920904fa0bf3d9917c0db74fcba1853bf1ecd42fd3144725238104e98ebac95f31da5d38551b3f97fb6c72ffdd0c60dbdc4d35cf

  • SSDEEP

    6144:YOSAnvuqXLUirFMWyW1bYcUNSzNc0jqatc2J8e1mvSTU:vDqyFMWyW1bYcUNSzNc0jqIj2T

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1217768046605766696/gn6PUBb8r8h-ssnZZH9n8QvTpzjMoBR_xyAAZJ3G_7VPtrVhrvMFld8uZyrHHcP957xT

Targets

    • Target

      Umbral.exe

    • Size

      231KB

    • MD5

      e9e39a33854ca8af45f6048dd49f265b

    • SHA1

      d19011ba34adf3135335aa9839d24e1b5c5dde71

    • SHA256

      e5da8ebc635776269ddceed41b6b6c0860071dafbe121b3fa17e63d01effd26c

    • SHA512

      703fdc9b9d086329a7273138920904fa0bf3d9917c0db74fcba1853bf1ecd42fd3144725238104e98ebac95f31da5d38551b3f97fb6c72ffdd0c60dbdc4d35cf

    • SSDEEP

      6144:YOSAnvuqXLUirFMWyW1bYcUNSzNc0jqatc2J8e1mvSTU:vDqyFMWyW1bYcUNSzNc0jqIj2T

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks