General
-
Target
xlucheats.exe
-
Size
231KB
-
Sample
240602-v3nzcshe9z
-
MD5
118714b4be372564292805a6016487cf
-
SHA1
08e8bf51aa6f2815d8ef050c21912a079d62aaf7
-
SHA256
b9bc80f978004667f7061aca80b41361b8ed3bfc49a1c00845d8d89688625b53
-
SHA512
523436e0a966027c1e87f9036025f956b96a9e9ded6cdc1f9da9df77384b2c176e758f219834268e9d37f5a236eef551a2561889fc2db429f6e2e49124ade34e
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4GAOk8il92vDe8NhoFynb8e1mmFMi:DoZtL+EP8GAOk8il92vDe8NhoFInH
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1241683850384506880/zLFG2DSEFT2WP-EtBvSKwL_2AGFnn2eLnDpU4OZbOwN7IHodOwDDbvSlZd6dQXHK_Sx1
Targets
-
-
Target
xlucheats.exe
-
Size
231KB
-
MD5
118714b4be372564292805a6016487cf
-
SHA1
08e8bf51aa6f2815d8ef050c21912a079d62aaf7
-
SHA256
b9bc80f978004667f7061aca80b41361b8ed3bfc49a1c00845d8d89688625b53
-
SHA512
523436e0a966027c1e87f9036025f956b96a9e9ded6cdc1f9da9df77384b2c176e758f219834268e9d37f5a236eef551a2561889fc2db429f6e2e49124ade34e
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4GAOk8il92vDe8NhoFynb8e1mmFMi:DoZtL+EP8GAOk8il92vDe8NhoFInH
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-