General

  • Target

    friends.exp

  • Size

    71B

  • Sample

    240612-wmddcsxhqq

  • MD5

    02baa4ea7d85be23014a102f094d6816

  • SHA1

    199f995c6228eb705656f3029990aaf0bf12a588

  • SHA256

    bae70ddcd78c54bc83e5bb64aabc142a23ec4b9f2e665b2ef86b95ad77b35b03

  • SHA512

    ff5bc8ebeb0061e9bac2c4b09f925ef012434ca1ee94ee17bfd1a2ce3edd58cbf87d52617b4929e67d6bd25e1f9ac30da9f507c10cc0c8a88023d37e100407b8

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1250361429333250119/Ue0qgEfIsngTl30ZNCtwzPjGafoMAt1Nkvz6HdtQyp6-br8N7e5NViVMa77MrDft7Ulq

Targets

    • Target

      friends.exp

    • Size

      71B

    • MD5

      02baa4ea7d85be23014a102f094d6816

    • SHA1

      199f995c6228eb705656f3029990aaf0bf12a588

    • SHA256

      bae70ddcd78c54bc83e5bb64aabc142a23ec4b9f2e665b2ef86b95ad77b35b03

    • SHA512

      ff5bc8ebeb0061e9bac2c4b09f925ef012434ca1ee94ee17bfd1a2ce3edd58cbf87d52617b4929e67d6bd25e1f9ac30da9f507c10cc0c8a88023d37e100407b8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies AppInit DLL entries

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks