Resubmissions

04-07-2024 13:03

240704-qaf1tsxckj 10

04-07-2024 12:47

240704-p1mqmaxbjr 10

General

  • Target

    SolaraB.rar

  • Size

    76KB

  • Sample

    240704-p1mqmaxbjr

  • MD5

    9ad679577500b09d525e224e36667ba4

  • SHA1

    e8c8a7afd0c415b94e65e6d0b782852fd0fe508d

  • SHA256

    351cba23cab65cd57d5ec9e553bfa02d35a32a8f75467a75b1c3735b87af6a3d

  • SHA512

    8f0b245ce641a8912f9c8482c7286bdcf19defd7381f4ee985e0f59701ead1ea134c03816545a9b848b43116afe7da371c2ba6d62b26ccdc5e7b579b68e3c736

  • SSDEEP

    1536:zi2l3ISJ6HumuVjcjvlUiKFyTh7hxcj/Z1jY8LkoGFuQ3d:zl3pJjmeQ5URyd7n8/Z1xozFugd

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1258158330237423708/TP4vZ1k1Rh4BbYP62cogAVNmLUNicORrL9xsgCelKxJelwVrWSmY1bVmhh1Yvxap5YQ-

Targets

    • Target

      SolaraB/Solara/solarabootstrapper.exe

    • Size

      227KB

    • MD5

      ebf1358b8496d5c895f4b8f9298f7f96

    • SHA1

      f0136d66bf877934376858064344c2038b998fd4

    • SHA256

      bccba62c31f689715d01f4e80edbe2fe6a816edb571c4a409fccbe2d5b789b65

    • SHA512

      ca82e5838c7e8b292f46e5b20684b7fbb861f449678fc6283bd5c587c0958c069800e94c9f65b239609434564a394f8ca168d83d40bc27c96ade6c18744beb6d

    • SSDEEP

      6144:eloZMLrIkd8g+EtXHkv/iD46E6TjpaC9sop7mGz3/b8e1mZJi:IoZ0L+EP86E6TjpaC9sop7mGzLt

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks