Overview

overview

10

Static

static

10

loader.exe

windows10-2004-x64

10

Resubmissions

02-06-2024 00:57

240602-ba8cradb7z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    loader.exe

  • Size

    365KB

  • Sample

    240602-ba8cradb7z

  • MD5

    cbd720ad4f7be1c099ec22f56ee61dd6

  • SHA1

    9989030c7ea1756e1834c464688d418e773919fc

  • SHA256

    20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

  • SHA512

    2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

  • SSDEEP

    6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Score
10/10
umbralevasionexecutionpersistencespywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Targets

    • Target

      loader.exe

    • Size

      365KB

    • MD5

      cbd720ad4f7be1c099ec22f56ee61dd6

    • SHA1

      9989030c7ea1756e1834c464688d418e773919fc

    • SHA256

      20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

    • SHA512

      2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

    • SSDEEP

      6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

    Score
    10/10
    umbralevasionexecutionpersistencespywarestealer

    • Detect Umbral payload

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks