General
-
Target
Umbral.exe
-
Size
227KB
-
Sample
240529-xklsdseh25
-
MD5
352d7bc3f16944c271e510f0bfad2b71
-
SHA1
fb31618e42f6beecf323f045f8453e7ecb67f0ea
-
SHA256
18b39864c478ca8d947a0b08e48965402477064b4c6975831f18b141d2a1d21f
-
SHA512
c69b31c6d74dbd6342e857a2411c96af670022831ce48000385ec05a07f9465e24878eeefbdd6f26f7f9ef34a6b2e8501523151a38f63dc51294e7f280bdaf0f
-
SSDEEP
6144:+loZM+rIkd8g+EtXHkv/iD4nAaBJX8QfF+nJUg1vbb8e1mUMi:ooZtL+EP8nAaBJX8QfF+nJUg1XFF
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240215-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1245448172436721717/Bkdu-x06BGUQbFzh0vM16H3yT_3yoXWRwoNsxvlyChXcLKWGdmsFpN85Lbd4wBNm2fuY
Targets
-
-
Target
Umbral.exe
-
Size
227KB
-
MD5
352d7bc3f16944c271e510f0bfad2b71
-
SHA1
fb31618e42f6beecf323f045f8453e7ecb67f0ea
-
SHA256
18b39864c478ca8d947a0b08e48965402477064b4c6975831f18b141d2a1d21f
-
SHA512
c69b31c6d74dbd6342e857a2411c96af670022831ce48000385ec05a07f9465e24878eeefbdd6f26f7f9ef34a6b2e8501523151a38f63dc51294e7f280bdaf0f
-
SSDEEP
6144:+loZM+rIkd8g+EtXHkv/iD4nAaBJX8QfF+nJUg1vbb8e1mUMi:ooZtL+EP8nAaBJX8QfF+nJUg1XFF
-
Detect Umbral payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-