General

  • Target

    Loader(1).exe

  • Size

    495KB

  • Sample

    240612-t8xm1swarn

  • MD5

    6c200e0e8ddc021a16094bd07c17b1b6

  • SHA1

    faa1dba99441d84898171d9ec2962955235183e9

  • SHA256

    837e540ab292132a621130757c1d5f1738f83e44568847e9278472eac3dc3046

  • SHA512

    bd5e8d976dbdad7d8f5511d777a0998f3d831054b7d3dad2d0a9969ddd622a519b63c1b06b677fef16c90f9ed9de226b25be6ca5f11752a053d6669ce726a15f

  • SSDEEP

    12288:doZ1tlRk83MlgvNh0ad1+F7mEl5Qw5nTiii/Izoqs2PiixJ:G5r39Nh0ad1+F7mEl5QwFzoqs2

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1250210609493180540/EIPBZ3YdZ5w5YcRIO6f1LfLpmEqxvPYjSIyR1VF8Vq8yhqkWJkzZ4iXosQ9u7wa-RKex

Targets

    • Target

      Loader(1).exe

    • Size

      495KB

    • MD5

      6c200e0e8ddc021a16094bd07c17b1b6

    • SHA1

      faa1dba99441d84898171d9ec2962955235183e9

    • SHA256

      837e540ab292132a621130757c1d5f1738f83e44568847e9278472eac3dc3046

    • SHA512

      bd5e8d976dbdad7d8f5511d777a0998f3d831054b7d3dad2d0a9969ddd622a519b63c1b06b677fef16c90f9ed9de226b25be6ca5f11752a053d6669ce726a15f

    • SSDEEP

      12288:doZ1tlRk83MlgvNh0ad1+F7mEl5Qw5nTiii/Izoqs2PiixJ:G5r39Nh0ad1+F7mEl5QwFzoqs2

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks