Extracted

• • Target

    FATALITY crack/FATALITY.exe

  • Size

    2.5MB

  • MD5

    4320dae0d20c88ceb6f28b623a916dd2

  • SHA1

    c1218c51804a602115462ea8259578fdbb280468

  • SHA256

    441d4439cd72a239077d97895571804711356f1e1ded396c229635adf3c80ea4

  • SHA512

    ee32e90d021835d608d43d3ee6d2d107fcfb15fa174c179ed4ae7dd47ec0dd45baadd1c73158c73d5e4fd7b89f5925ae505a6df66bb81e9d5693216316622fcf

  • SSDEEP

    49152:U14vPsUk84QgsmsQgt/KOQtLvwnQ/7syEL+mZ1TxrYgHZfr2gsNS1zb9cVg1Z2U/:JPtmLgtTGTwQAyY3TdYCsI1zAgb27wh

  Score

  10^/10

  umbralexecutionpersistencespywarestealer

  • Detect Umbral payload

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2

• • Target

    FATALITY crack/cfg/legit.cfg

  • Size

    39KB

  • MD5

    dbeda5a7e2e95e70fc304c3a4e77a0df

  • SHA1

    3298481bc57978c62332e0e94b500563bf3d90ee

  • SHA256

    46d53ca05fca4a8cf440847de6a62d17a58c38a1d5aa57c6cb1acb3278bd362f

  • SHA512

    367ab86c9d27582f234317def91cafdf4efea0f6fad95e44ee942a387b7d933ed4a2397fecebce3be179b18c6c1395eba5d7984ee613beb19a4ad16729dbd1ff

  • SSDEEP

    768:Tddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddb:r

  Score

  3^/10
  behavioral3behavioral4

• • Target

    FATALITY crack/cfg/rage.cfg

  • Size

    187KB

  • MD5

    8afa2113286ff459764485d570972a88

  • SHA1

    4ea9847b651ae1841504b0d44622ae67e36c90f3

  • SHA256

    b55e93983670dd54d4d492338e94bed3bced150c4e7c1e1fcdfd69b49f3c84b0

  • SHA512

    834e3adca04b27b5722c3d27dc729dbc6f5befb350104851f081c6ee7d0d60a0f0e3a0904cc4effe4955b2e94b368c44121c9ba1cd11d0dea38b9898c3b72a8e

  • SSDEEP

    768:Tddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddz:D

  Score

  3^/10
  behavioral5behavioral6

• • Target

    FATALITY crack/crack.pdb

  • Size

    175KB

  • MD5

    bba057869db12538db08489b52e24f8e

  • SHA1

    1f97afcdb8e6efdde576f8341b9db6e928c901e8

  • SHA256

    3f2ffba4d665d930671518bdf7ccd59e1d63c7c0ae568e98d7e379fc40c952d1

  • SHA512

    b4d793425ded065683ae9910545b00dea7b581bdebee6d543ceebb78e2d121e4447daa33a70f2e1066b676bffb04f9fa13fac7afdf5c2b23b05d33b4bb9a6469

  • SSDEEP

    768:Tdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd7:L

  Score

  3^/10
  behavioral7behavioral8

• • Target

    FATALITY crack/injector.dll

  • Size

    170KB

  • MD5

    2bdf6c2175922c0c7b8fc10b475171fe

  • SHA1

    d965953a56f441578ecf809e750f9dae722eeb22

  • SHA256

    3cf2bc9edea167b1d820352d6f98f1793a6f381a8de7e04f5ab1dc27811408f7

  • SHA512

    17458f631850dfd3bfd0f243b072741e2020a2e9f80e86a2aeced40742d5eba99447f646050c2c95090622e78c75505cae8aa8d09dc261c832e5b5d2e34f9b1b

  • SSDEEP

    768:Tdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd/:P

  Score

  1^/10
  behavioral10behavioral9