General

  • Target

    TOKEN_BOT.rar

  • Size

    82KB

  • Sample

    240607-t4s42abb5z

  • MD5

    d66e3c99b231e3b1959b70e3dff357ff

  • SHA1

    433ca2a167b73ac819e25e732ba7b6a940cbc43b

  • SHA256

    6afc8f233e1d02de92ab0dad9bb3724ab5b868c5ca59cfd52df6bc384ae1cf36

  • SHA512

    7240783b5ed71d5b5cef0deebef4da78e5894d7d446fb3b095042c75a4ec8362f2a01f402e186d65af29bb04c2dde089e8f0d73e6235da0a1b3828f64a5beeed

  • SSDEEP

    1536:eJmMWtcXkWyDYhBptyJX1WiRlcbCn5D7+D8wPa49oPeOrp8S3HSMFdOf7N:emMWjWnBzy3WiR95X+D8wi49BK8eHTMJ

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1248666183935459388/H6xZG6F-jgkil3oNGNbSG0sboMZrkd4X59oyn0uqV3zJKxfSnkoPhlPZOuDT23hTub4I

Targets

    • Target

      TOKEN BOT.exe

    • Size

      231KB

    • MD5

      6237b7bfdeef6aa9095852ac74ab5e6e

    • SHA1

      deaf71a3709b52817cdfe5aec902507c8b89b36b

    • SHA256

      b4aff6f798705f34a3edf6b528a71aa2dbbeb6d71299799eb1042a09822af2f6

    • SHA512

      263e769b21fc67f6ccb3c3135b66635cfb12af503b3d90bcc304a1d0b3f7a2524df630c2f3d2dbb968eb5296569e77a49aa66e0627eaea7d5df89c761454541d

    • SSDEEP

      6144:RloZMQrIkd8g+EtXHkv/iD4vBLU69VewbGkFZw1fUtLJU8e1mci:joZ3L+EP8vBLU69VewbGkFZwlkL42

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks