General

  • Target

    5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84.zip

  • Size

    92KB

  • Sample

    240612-2x7mvaxgnk

  • MD5

    c561219802d64420e3eb701d17533337

  • SHA1

    7a41248380246af450c3967c02cb313fdddc3049

  • SHA256

    5a72cef1aee6243c81a9ec709be05ef1d443f1431ba635392e88fe761708ed42

  • SHA512

    78d5f6323e535e4b683fe8de990d013f187e712fc095b1327438d51ba8be1c7d8603ad04e269504907fbba129aa84410d3c7b80d22b088d2367cab9e91a80b7e

  • SSDEEP

    1536:Dwa/5M3IBpELnvaRh9l+GxGwYJmaQJbn15fX2NsG5pBjZDa21Li:USM3QevaNl+GUDYbrOOG5pVZLLi

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1248607651387146310/L22eWHFIaqQanWIJXuwKJbdlgO8LfAMUL1ag9JLuvBFDDekhSwD3f38KvJADfkAUnTsK

Targets

    • Target

      5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84.exe

    • Size

      229KB

    • MD5

      1adeea63d576dea9add98e01e9fe78b4

    • SHA1

      8f754fd661d9ce2e9e9a7278b4dd7096b13fc585

    • SHA256

      5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84

    • SHA512

      0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb

    • SSDEEP

      6144:lloZMCrIkd8g+EtXHkv/iD4sodaBPUonIWvRsY99ib8e1miLZi:noZZL+EP8sodaBPUonIWvRsY9wfLA

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks