General

  • Target

    LegacyPhasmo.rar

  • Size

    634KB

  • Sample

    240603-lwsjjaaf4z

  • MD5

    b2800c86cdb04d471af2a27f3f7e416a

  • SHA1

    1869929454f4d0b05fb4f51d1983e30be17a28ab

  • SHA256

    ac8a08a5dd79ab90a206fe5f79c6d0982a3d9f21ea23daae9e0a04a0edd65892

  • SHA512

    2d0e779995ad70a6d3176bf1a23a2d3b491f107b57ab4e768dcab3fa6fb1fd908e730a9e84b920727166950164ac68c5f6a4417276e35e7b2f23dafb056ed731

  • SSDEEP

    12288:oEKaaOVozcA11bqV5kJPU/HJOoP84EaLROyu5718CSJo3oLcgsa6Tp5Q5:L+zPebkiPJOoP35s1h8Zo8R695E

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1239969504654655528/VeqtFqysqjPq1RBqiaPnt8f3X7OZKPfU8tkQRyN212Fwc2hm58OjrMT9W-FnzCFUxfPD

Targets

    • Target

      LegacyPhasmo/LegacyPhasmo.exe

    • Size

      495KB

    • MD5

      85946e8adc17bed93bb80005f2caabe7

    • SHA1

      b7941993fc3c58a9a42296b82e43f0988feb2ed9

    • SHA256

      649683f80b00b62ba0979634a6935088637e8b12f91ef8260dfaafa4840d6555

    • SHA512

      331cc3635905ff7673f545c7570cbaae1fa7a7b5637a610d1ce801929d67b527e88cb1e453aa4b1c402ea2565e0e5fa6729d822d38527a6bd8f8e84348c6e51c

    • SSDEEP

      6144:vloZM+rIkd8g+EtXHkv/iD42LM3t74sziKrd4UB8Fb8e1mgi04OA:NoZtL+EP82LM3t74sziKrd4UBsa00

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      LegacyPhasmo/start.bat

    • Size

      1.1MB

    • MD5

      7002fdc4d02a4ed4a5a6f56bc40efcef

    • SHA1

      cef5ea6d5507392e4fd5cb9511160f4882b4d8b8

    • SHA256

      6fddd93899ba0f1de262aa86d1e7f4ed3df8b29e9d2b9679d42b5a81addea6f4

    • SHA512

      d5859012071a604563d96c8cffb9a5f12ae5a085b0160d3e90de140bd50c752d97287c1810140d72bf2404880fecd8332a458005e5e8052f5ad74cf11f12a538

    • SSDEEP

      24576:U2G/nvxW3Ww0t6eSgFX3x5aC6FRMzpC6nHZW/n:UbA306e9FTtYeP0P

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks