General
-
Target
BL-Tools-v2.8.3.exe
-
Size
6.4MB
-
Sample
240715-gmeh4a1dnr
-
MD5
3488ad52666afe9800364a9c34f9725d
-
SHA1
3412ee1bb608e54b5c80c210432ca23c0c3dd766
-
SHA256
aa23463d85a070a894711f628356694599b8eeca33e3e3dc161f2ef765932235
-
SHA512
e5f42f9f71557720cb7072a37107be5224020dfa94a49a42a56107b0bd8be84aef28f9191705966861fdd6b7a50ff379c3fc36bd2f56e194142711fe9790d06a
-
SSDEEP
196608:cLzA2rwXK0ARSWsQPQJvCvHm9EVi9RZckSIJH:0HkKvwxQjHmuiTZckS
Static task
static1
Behavioral task
behavioral1
Sample
BL-Tools-v2.8.3.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1252474399957848134/ilQm28lxIOrQeOQaL1rqkItSyclk6EIc_o-hRhExVNFtMZ2xF_oiylm7nsP-jUa248ZH
Targets
-
-
Target
BL-Tools-v2.8.3.exe
-
Size
6.4MB
-
MD5
3488ad52666afe9800364a9c34f9725d
-
SHA1
3412ee1bb608e54b5c80c210432ca23c0c3dd766
-
SHA256
aa23463d85a070a894711f628356694599b8eeca33e3e3dc161f2ef765932235
-
SHA512
e5f42f9f71557720cb7072a37107be5224020dfa94a49a42a56107b0bd8be84aef28f9191705966861fdd6b7a50ff379c3fc36bd2f56e194142711fe9790d06a
-
SSDEEP
196608:cLzA2rwXK0ARSWsQPQJvCvHm9EVi9RZckSIJH:0HkKvwxQjHmuiTZckS
-
Detect Umbral payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-