General
-
Target
Client.exe
-
Size
380KB
-
Sample
240605-cazlaabe52
-
MD5
7091d715676e10c44205e6fa7f50b7bd
-
SHA1
a950398047b6b554181538d6e78ada18bfba510e
-
SHA256
23f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88
-
SHA512
2fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b
-
SSDEEP
6144:MwZC8z6GIwaC9M1G4TIcgGz+rH4uCBbhZnKMgVia:RZC8OGgt1G4TGY+NCNn4Vi
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1247729405409759390/zWUzhv3beId_l06S4nnTrfCRsAkIoHRjlpnuQcnbUkUm0eJjGGkP-VfghAOgfXCbrdiS
Targets
-
-
Target
Client.exe
-
Size
380KB
-
MD5
7091d715676e10c44205e6fa7f50b7bd
-
SHA1
a950398047b6b554181538d6e78ada18bfba510e
-
SHA256
23f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88
-
SHA512
2fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b
-
SSDEEP
6144:MwZC8z6GIwaC9M1G4TIcgGz+rH4uCBbhZnKMgVia:RZC8OGgt1G4TGY+NCNn4Vi
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1