General

  • Target

    WaveInstaller.exe

  • Size

    231KB

  • Sample

    240628-waeqna1bkl

  • MD5

    0eca651a9a275b0674a052b757f4b9ae

  • SHA1

    d646b68d18a28ba263ea2930e58f0b30ac83b4a3

  • SHA256

    64f6576c6db1eaaefbe0ab36e362592c8b27ff856cfcb29c032d06c1f289df1c

  • SHA512

    d1f62b20625a982c3b59fdc56af47833b5f3e0ed2bb3aa03b1c8b71c3160999d87bc53f9f4f7bf1cdf6d45d87ff6e5c96a5cc0977c0da9b6ec1278b3c24870d5

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4hE3sR8e1mRi:joZtL+EP8h/B

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1256283662257754162/oO2GYofXe1PATrHNs7R_nPHF_AfnP-YGm2NE2FG1zwAXoPlTvE-rPO0HfgjbQsp8OIHI

Targets

    • Target

      WaveInstaller.exe

    • Size

      231KB

    • MD5

      0eca651a9a275b0674a052b757f4b9ae

    • SHA1

      d646b68d18a28ba263ea2930e58f0b30ac83b4a3

    • SHA256

      64f6576c6db1eaaefbe0ab36e362592c8b27ff856cfcb29c032d06c1f289df1c

    • SHA512

      d1f62b20625a982c3b59fdc56af47833b5f3e0ed2bb3aa03b1c8b71c3160999d87bc53f9f4f7bf1cdf6d45d87ff6e5c96a5cc0977c0da9b6ec1278b3c24870d5

    • SSDEEP

      6144:RloZM+rIkd8g+EtXHkv/iD4hE3sR8e1mRi:joZtL+EP8h/B

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks