General

  • Target

    Umbral.exe

  • Size

    229KB

  • Sample

    240610-fqwfcacd8w

  • MD5

    aaf99a08d4968f6c8b4dffea65e508b5

  • SHA1

    99d6d8d218dc7a07cb8dbf009ed474782babd4d9

  • SHA256

    30ac9d27fe86c00f827876cb245deedf7f8f4cbb16f4359fda4beb0cf8183d73

  • SHA512

    9bf219952fca4d62f85bf565804e03901ec9d2b77d59e8600f2276a867bd8e6b516f4ee68527b481f11ff4df6ed4da77a438de1c1f386f8eae54e7797a63e696

  • SSDEEP

    6144:9loZM9rIkd8g+EtXHkv/iD4DcSP4+ZRSe3q459cgYb8e1mDi:foZOL+EP8DcSP4+ZRSe3q459clF

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1249007822545621105/lIYWehahvoMIbDERS3j5Uq_Y96bmWma5CxEszXK2nvldB8Ztc-7U-KY4N_IUtSC3fMqB

Targets

    • Target

      Umbral.exe

    • Size

      229KB

    • MD5

      aaf99a08d4968f6c8b4dffea65e508b5

    • SHA1

      99d6d8d218dc7a07cb8dbf009ed474782babd4d9

    • SHA256

      30ac9d27fe86c00f827876cb245deedf7f8f4cbb16f4359fda4beb0cf8183d73

    • SHA512

      9bf219952fca4d62f85bf565804e03901ec9d2b77d59e8600f2276a867bd8e6b516f4ee68527b481f11ff4df6ed4da77a438de1c1f386f8eae54e7797a63e696

    • SSDEEP

      6144:9loZM9rIkd8g+EtXHkv/iD4DcSP4+ZRSe3q459cgYb8e1mDi:foZOL+EP8DcSP4+ZRSe3q459clF

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks