General
-
Target
Umbral.exe
-
Size
229KB
-
Sample
240724-lgfana1hrf
-
MD5
e91e7d0ed8c652cc6d31b843ce779610
-
SHA1
30100ace6bde410478ab46fd06ffb28759fbbd78
-
SHA256
de9370ce0b17b04fa1deb6403251580f6cf32035659da7ed57756c08c690d666
-
SHA512
9ccda4488fc512344ce51b6173da48902058df858ff82edbe906ef7c116800074823fc179f69ad687d4196d21bf4683ca5dc4a142f69a127714ae3dc37aa1130
-
SSDEEP
6144:lloZM9rIkd8g+EtXHkv/iD4UZ7coOJBi0HaIJtMByb8e1mF56Yi:noZOL+EP8UZ7coOJBi0HaIJtMgs50
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1265599725864751124/kq2aCEcilzOe4g2D7AB6iQUW1gHJ6M7tRa2cn8JdlNbUcphaqNVxYRxknmdOBnbJxAr5
Targets
-
-
Target
Umbral.exe
-
Size
229KB
-
MD5
e91e7d0ed8c652cc6d31b843ce779610
-
SHA1
30100ace6bde410478ab46fd06ffb28759fbbd78
-
SHA256
de9370ce0b17b04fa1deb6403251580f6cf32035659da7ed57756c08c690d666
-
SHA512
9ccda4488fc512344ce51b6173da48902058df858ff82edbe906ef7c116800074823fc179f69ad687d4196d21bf4683ca5dc4a142f69a127714ae3dc37aa1130
-
SSDEEP
6144:lloZM9rIkd8g+EtXHkv/iD4UZ7coOJBi0HaIJtMByb8e1mF56Yi:noZOL+EP8UZ7coOJBi0HaIJtMgs50
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1