General

  • Target

    fg2.th

  • Size

    117KB

  • Sample

    240612-nxq37stcmh

  • MD5

    c871971de854752c8805eb99a99c851c

  • SHA1

    91e581bf65036863b58e514614922a40cf12db28

  • SHA256

    2363609a04549c29326c9e97b8d90a4483b800d3af84e87c23e56be260207271

  • SHA512

    e5bb49642c84f3008e8507e27fc92c8d3daf340f56129a8b4c4ca48251dc1e0ba33e93e359e76d7ae1ee5d3089e01fd12346b3780fcacbce566b9806cd96a84f

  • SSDEEP

    1536:W2UKItlL/allArLrJbxZiHyx000000000000000000000000000000000000000/:WYIWbArPdXiSTThHWt

Malware Config

Targets

    • Target

      fg2.th

    • Size

      117KB

    • MD5

      c871971de854752c8805eb99a99c851c

    • SHA1

      91e581bf65036863b58e514614922a40cf12db28

    • SHA256

      2363609a04549c29326c9e97b8d90a4483b800d3af84e87c23e56be260207271

    • SHA512

      e5bb49642c84f3008e8507e27fc92c8d3daf340f56129a8b4c4ca48251dc1e0ba33e93e359e76d7ae1ee5d3089e01fd12346b3780fcacbce566b9806cd96a84f

    • SSDEEP

      1536:W2UKItlL/allArLrJbxZiHyx000000000000000000000000000000000000000/:WYIWbArPdXiSTThHWt

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies AppInit DLL entries

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks