General

  • Target

    executor.exe

  • Size

    230KB

  • Sample

    240615-hwcars1hme

  • MD5

    6d36622e437d5f0bbeb1e43ee49ffe35

  • SHA1

    98751d0a048e319fec614ae26c1c78c86a048300

  • SHA256

    7561ef67b210e8d30d71700ca0288c5d391adc968988db16eeac209b7cb5941e

  • SHA512

    10f21503c75bded2ce97b260792581d7abf7f633d29cff93251957dad2fd184911160e1dbac19d7325703d0163a2b34e728be07de273dcbbbe87f41da6a1f13e

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD40naJUBPUonXWvRsY9Mcb8e1mh5ui:noZtL+EP80naJUBPUonXWvRsY95OD

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1250415107909877781/1IHWX-A_B5LAE4exMzEQBSl89081t9nd5M3o6kddoQT_fkImb8DiRCDij_A_dYoEuLQh

Targets

    • Target

      executor.exe

    • Size

      230KB

    • MD5

      6d36622e437d5f0bbeb1e43ee49ffe35

    • SHA1

      98751d0a048e319fec614ae26c1c78c86a048300

    • SHA256

      7561ef67b210e8d30d71700ca0288c5d391adc968988db16eeac209b7cb5941e

    • SHA512

      10f21503c75bded2ce97b260792581d7abf7f633d29cff93251957dad2fd184911160e1dbac19d7325703d0163a2b34e728be07de273dcbbbe87f41da6a1f13e

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD40naJUBPUonXWvRsY9Mcb8e1mh5ui:noZtL+EP80naJUBPUonXWvRsY95OD

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks