General
-
Target
Umbral.exe
-
Size
227KB
-
Sample
240723-zs26fs1eqh
-
MD5
79ad93ed49ecead23248ec08cc51ecfd
-
SHA1
06340a50ce4fa06499e37070bbd70d6a0f25786f
-
SHA256
72f47523343d7d1ddc198998a6a411686dbfcc5a608314ba400957e369e24ff8
-
SHA512
083fff8df6f2d015cc46a05af331d8eb1dd1b91add76a3b47b818a594bc57a80d167cc6fdb2360de489c52b97e8d042abb207e0133d1a446850504c17ab5ffd7
-
SSDEEP
6144:eloZM9rIkd8g+EtXHkv/iD4n8jjSQPL4yBECDjazBb8e1mCi:IoZOL+EP8n8jjSQPL4yBECDjaNQ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1265405021693022301/FILQ0GK0aihutQemB89HsJoduzamtkL5_TFo8EF1W0scjL3mAwd5vIs0TCQX-f6fk3pi
Targets
-
-
Target
Umbral.exe
-
Size
227KB
-
MD5
79ad93ed49ecead23248ec08cc51ecfd
-
SHA1
06340a50ce4fa06499e37070bbd70d6a0f25786f
-
SHA256
72f47523343d7d1ddc198998a6a411686dbfcc5a608314ba400957e369e24ff8
-
SHA512
083fff8df6f2d015cc46a05af331d8eb1dd1b91add76a3b47b818a594bc57a80d167cc6fdb2360de489c52b97e8d042abb207e0133d1a446850504c17ab5ffd7
-
SSDEEP
6144:eloZM9rIkd8g+EtXHkv/iD4n8jjSQPL4yBECDjazBb8e1mCi:IoZOL+EP8n8jjSQPL4yBECDjaNQ
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1