General

  • Target

    macros.exp

  • Size

    11B

  • Sample

    240612-wyrp5avdjd

  • MD5

    4bc624dceaefa042d85d620a6899f789

  • SHA1

    80075d4ba26c76a151ae37110a47eacd30bc2c8e

  • SHA256

    799adf5563cca6365b1290711e311947ed6618e1854d91ae021aa51a5028e6d6

  • SHA512

    d732882835028d2827caff2f438a5309e032f029b208d03d32dacb2d896f11faba52ee38de3e3c6940f130425c87317f3896144a4f4aaa665285b2ccc30fe0a3

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1250512741236609158/IIWgzYIpwZxe9tgX-E05IVAB1SjwpJFSmVUMs2LwPacQi-aTjjeKp_fjFd4vlqkhBq-M

Targets

    • Target

      macros.exp

    • Size

      11B

    • MD5

      4bc624dceaefa042d85d620a6899f789

    • SHA1

      80075d4ba26c76a151ae37110a47eacd30bc2c8e

    • SHA256

      799adf5563cca6365b1290711e311947ed6618e1854d91ae021aa51a5028e6d6

    • SHA512

      d732882835028d2827caff2f438a5309e032f029b208d03d32dacb2d896f11faba52ee38de3e3c6940f130425c87317f3896144a4f4aaa665285b2ccc30fe0a3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies AppInit DLL entries

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks