umbral | 6afc8f233e1d02de92ab0dad9bb3724ab5b868c5ca59cfd52df6bc384ae1cf36 | Triage

Sharing

General

Target

TOKEN_BOT.rar
Size

82KB
Sample

240607-t4s42abb5z
MD5

d66e3c99b231e3b1959b70e3dff357ff
SHA1

433ca2a167b73ac819e25e732ba7b6a940cbc43b
SHA256

6afc8f233e1d02de92ab0dad9bb3724ab5b868c5ca59cfd52df6bc384ae1cf36
SHA512

7240783b5ed71d5b5cef0deebef4da78e5894d7d446fb3b095042c75a4ec8362f2a01f402e186d65af29bb04c2dde089e8f0d73e6235da0a1b3828f64a5beeed
SSDEEP

1536:eJmMWtcXkWyDYhBptyJX1WiRlcbCn5D7+D8wPa49oPeOrp8S3HSMFdOf7N:emMWjWnBzy3WiR95X+D8wi49BK8eHTMJ

Score

10^/10

umbral execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1248666183935459388/H6xZG6F-jgkil3oNGNbSG0sboMZrkd4X59oyn0uqV3zJKxfSnkoPhlPZOuDT23hTub4I

Targets

- Target
  
  TOKEN BOT.exe
- Size
  
  231KB
- MD5
  
  6237b7bfdeef6aa9095852ac74ab5e6e
- SHA1
  
  deaf71a3709b52817cdfe5aec902507c8b89b36b
- SHA256
  
  b4aff6f798705f34a3edf6b528a71aa2dbbeb6d71299799eb1042a09822af2f6
- SHA512
  
  263e769b21fc67f6ccb3c3135b66635cfb12af503b3d90bcc304a1d0b3f7a2524df630c2f3d2dbb968eb5296569e77a49aa66e0627eaea7d5df89c761454541d
- SSDEEP
  
  6144:RloZMQrIkd8g+EtXHkv/iD4vBLU69VewbGkFZw1fUtLJU8e1mci:joZ3L+EP8vBLU69VewbGkFZwlkL42
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralexecutionspywarestealer

behavioral2

umbralexecutionspywarestealer