Resubmissions

02-06-2024 00:57

240602-ba8cradb7z 10

General

  • Target

    loader.exe

  • Size

    365KB

  • Sample

    240602-ba8cradb7z

  • MD5

    cbd720ad4f7be1c099ec22f56ee61dd6

  • SHA1

    9989030c7ea1756e1834c464688d418e773919fc

  • SHA256

    20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

  • SHA512

    2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

  • SSDEEP

    6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Targets

    • Target

      loader.exe

    • Size

      365KB

    • MD5

      cbd720ad4f7be1c099ec22f56ee61dd6

    • SHA1

      9989030c7ea1756e1834c464688d418e773919fc

    • SHA256

      20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

    • SHA512

      2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

    • SSDEEP

      6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

    • Detect Umbral payload

    • Modifies visiblity of hidden/system files in Explorer

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks