General

  • Target

    7bc6b8054abd6114c35c454c071c7290_NeikiAnalytics.exe

  • Size

    231KB

  • Sample

    240603-zar8jahg64

  • MD5

    7bc6b8054abd6114c35c454c071c7290

  • SHA1

    c88749c113c114d0fe437f4f701b9402a6d11e92

  • SHA256

    4641bea6ae464a8c278a7e0529f754c08f60edc46ecf63b5b4c8775df8c54649

  • SHA512

    4a0cdc2e0b86cacb92f684faec19764882653e75d7d66c37e9da0dec08b6beaadea432c161f1eda9e596ff14bea88c42af51c6837c954b3d3252beebd85991fe

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4vTIgiAfbofxUyzzq2Ab8e1mT8Ti:joZtL+EP8vTIgiAfbofxUyzzqzK9

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1246232317215903755/k1xdEK7NXg9Ud5aRps3d0dup6SCVr7oTrOvl5rUZFNMqDY9YqVHX9ED6ruz0decwjSyA

Targets

    • Target

      7bc6b8054abd6114c35c454c071c7290_NeikiAnalytics.exe

    • Size

      231KB

    • MD5

      7bc6b8054abd6114c35c454c071c7290

    • SHA1

      c88749c113c114d0fe437f4f701b9402a6d11e92

    • SHA256

      4641bea6ae464a8c278a7e0529f754c08f60edc46ecf63b5b4c8775df8c54649

    • SHA512

      4a0cdc2e0b86cacb92f684faec19764882653e75d7d66c37e9da0dec08b6beaadea432c161f1eda9e596ff14bea88c42af51c6837c954b3d3252beebd85991fe

    • SSDEEP

      6144:RloZM+rIkd8g+EtXHkv/iD4vTIgiAfbofxUyzzq2Ab8e1mT8Ti:joZtL+EP8vTIgiAfbofxUyzzqzK9

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks