General

  • Target

    Launcher.exe

  • Size

    495KB

  • Sample

    240627-zdmgfszbja

  • MD5

    398b7fccfa2d8fd240a5032a20e57200

  • SHA1

    2e9bb06c985765930abd4d8e4734d48fc9db476b

  • SHA256

    6c37b3d7cba096ed83d54a1c31ca265f79567e4b4b9339d1f07b18b5013182d3

  • SHA512

    aef4ca14b00598603aab35dbb3f02a264007d3f14533c59fc6e5040f138f19c2d414de6fa62860ea91e5b80d8e57e2297c30bbc837a0bf15490a758d80ba4c4c

  • SSDEEP

    12288:9oZtL+EP8jM1jfVeGJCMFXSy3l7JDhA/Nfg:LI8w1jfVeGJCMFXSy3l9lA/Nfg

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1255969637254959297/VOD56kR-Ym1Ir4C8x6A8OEDQbQ85zzijJbXyxuRUOY0BIca0X87o3yo10-ghBTV8HF3A

Targets

    • Target

      Launcher.exe

    • Size

      495KB

    • MD5

      398b7fccfa2d8fd240a5032a20e57200

    • SHA1

      2e9bb06c985765930abd4d8e4734d48fc9db476b

    • SHA256

      6c37b3d7cba096ed83d54a1c31ca265f79567e4b4b9339d1f07b18b5013182d3

    • SHA512

      aef4ca14b00598603aab35dbb3f02a264007d3f14533c59fc6e5040f138f19c2d414de6fa62860ea91e5b80d8e57e2297c30bbc837a0bf15490a758d80ba4c4c

    • SSDEEP

      12288:9oZtL+EP8jM1jfVeGJCMFXSy3l7JDhA/Nfg:LI8w1jfVeGJCMFXSy3l9lA/Nfg

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks