General
-
Target
kdmapper.exe
-
Size
231KB
-
Sample
240615-yyt7csshnd
-
MD5
37b9493c936d00a87335d9032eebbb18
-
SHA1
f8099a772a38828ca950f1095d6d2aa2cf4687cc
-
SHA256
f948429a846cab7bfa48e4ca3a9d6214cc51be06fea654ad11fb53b5bb9e2b73
-
SHA512
9a40291fd227cfe02008c35d4d6f512e0f2136c48c1797e6266fcd494ae72c12987dca30358f9a61915b1700eff4a0a18a5f5a69284cd23d532925f1ab3da782
-
SSDEEP
6144:RloZMLrIkd8g+EtXHkv/iD4bJE3U69VewbGkFZwnkb8e1mki:joZ0L+EP8bJE3U69VewbGkFZw02
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1245161606078267454/2tFUmxkNmqUe2GIZBXmqdKOdpHUqoVlnwgh1OCbXJiFehEaFxvqwVQugRpkuySUIJxIn
Targets
-
-
Target
kdmapper.exe
-
Size
231KB
-
MD5
37b9493c936d00a87335d9032eebbb18
-
SHA1
f8099a772a38828ca950f1095d6d2aa2cf4687cc
-
SHA256
f948429a846cab7bfa48e4ca3a9d6214cc51be06fea654ad11fb53b5bb9e2b73
-
SHA512
9a40291fd227cfe02008c35d4d6f512e0f2136c48c1797e6266fcd494ae72c12987dca30358f9a61915b1700eff4a0a18a5f5a69284cd23d532925f1ab3da782
-
SSDEEP
6144:RloZMLrIkd8g+EtXHkv/iD4bJE3U69VewbGkFZwnkb8e1mki:joZ0L+EP8bJE3U69VewbGkFZw02
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-