General

  • Target

    06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe

  • Size

    46.0MB

  • Sample

    240704-j2mjcs1hrm

  • MD5

    2bdf60ce1391ccc1a829a41c8b531dd5

  • SHA1

    8fecb37b06dd016f820cbc55c1446aa34666bf12

  • SHA256

    06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

  • SHA512

    0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359

  • SSDEEP

    24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1253005353222668289/_twANrdJlJok9NDlMWHxe2qUewe11QbdTTPK9sqVpjZ9uRjyV2p28YwCPVaWlpRMyL50

Targets

    • Target

      06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe

    • Size

      46.0MB

    • MD5

      2bdf60ce1391ccc1a829a41c8b531dd5

    • SHA1

      8fecb37b06dd016f820cbc55c1446aa34666bf12

    • SHA256

      06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

    • SHA512

      0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359

    • SSDEEP

      24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Umbral payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks