General

  • Target

    SolaroB.exe

  • Size

    315KB

  • Sample

    240618-mhqcpazakh

  • MD5

    ded6899acd90f3b7a2a65ac7adf41c9f

  • SHA1

    1d696bcfcc10fa05d7a69ce7782ebd0006efb367

  • SHA256

    a3b28c9c105887943acef8ae6e70bb79a3db83a7bcdd4307bde10e72c3394268

  • SHA512

    fb7986ec47d65412bdda2e25b6b77866bc5dac8d8c51756ba5129e09f5ceb39b4ffc2c4c76536c20ff7dcc23f150f2dde4ba80f08681e53e8e3867b2dda5ab15

  • SSDEEP

    6144:gtYtxQIeHKPxA20MTbe61lWTLF21cUWF0ryP7iynfap2d3zN9BeOaJs/C2vQG1yt:gtYt7poMPP1le0y+y7iynypQxb5aJ2+

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1251956998581522512/T_EEim3SFywd5SuJ1qG-aBAF2rWGOQN6KOZXRn7DecpgpODfH2Pr1ZycNH_TsE54WBy6

Targets

    • Target

      SolaroB.exe

    • Size

      315KB

    • MD5

      ded6899acd90f3b7a2a65ac7adf41c9f

    • SHA1

      1d696bcfcc10fa05d7a69ce7782ebd0006efb367

    • SHA256

      a3b28c9c105887943acef8ae6e70bb79a3db83a7bcdd4307bde10e72c3394268

    • SHA512

      fb7986ec47d65412bdda2e25b6b77866bc5dac8d8c51756ba5129e09f5ceb39b4ffc2c4c76536c20ff7dcc23f150f2dde4ba80f08681e53e8e3867b2dda5ab15

    • SSDEEP

      6144:gtYtxQIeHKPxA20MTbe61lWTLF21cUWF0ryP7iynfap2d3zN9BeOaJs/C2vQG1yt:gtYt7poMPP1le0y+y7iynypQxb5aJ2+

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks