General

  • Target

    Umbral.exe

  • Size

    227KB

  • Sample

    240529-xklsdseh25

  • MD5

    352d7bc3f16944c271e510f0bfad2b71

  • SHA1

    fb31618e42f6beecf323f045f8453e7ecb67f0ea

  • SHA256

    18b39864c478ca8d947a0b08e48965402477064b4c6975831f18b141d2a1d21f

  • SHA512

    c69b31c6d74dbd6342e857a2411c96af670022831ce48000385ec05a07f9465e24878eeefbdd6f26f7f9ef34a6b2e8501523151a38f63dc51294e7f280bdaf0f

  • SSDEEP

    6144:+loZM+rIkd8g+EtXHkv/iD4nAaBJX8QfF+nJUg1vbb8e1mUMi:ooZtL+EP8nAaBJX8QfF+nJUg1XFF

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1245448172436721717/Bkdu-x06BGUQbFzh0vM16H3yT_3yoXWRwoNsxvlyChXcLKWGdmsFpN85Lbd4wBNm2fuY

Targets

    • Target

      Umbral.exe

    • Size

      227KB

    • MD5

      352d7bc3f16944c271e510f0bfad2b71

    • SHA1

      fb31618e42f6beecf323f045f8453e7ecb67f0ea

    • SHA256

      18b39864c478ca8d947a0b08e48965402477064b4c6975831f18b141d2a1d21f

    • SHA512

      c69b31c6d74dbd6342e857a2411c96af670022831ce48000385ec05a07f9465e24878eeefbdd6f26f7f9ef34a6b2e8501523151a38f63dc51294e7f280bdaf0f

    • SSDEEP

      6144:+loZM+rIkd8g+EtXHkv/iD4nAaBJX8QfF+nJUg1vbb8e1mUMi:ooZtL+EP8nAaBJX8QfF+nJUg1XFF

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks