General
-
Target
thegreatestexploits_services.exe
-
Size
1.2MB
-
Sample
240725-qb8ggazfjl
-
MD5
aaaf987d8a27c805d177c6063b645be0
-
SHA1
64eda37efbbbc0cbedcd33f1594223d96d5b9803
-
SHA256
d864686dd77c81f89803fe21bc596b9188fd2b9ade88f618d60206a9e167953d
-
SHA512
5126f43fcf8e5f5f62f701b4575d7fd3dfc046614b0889d8dc73631ff876d5998d3f5994743847282270cfa20ba7911d206a41cba3e7327eb017f3fdbe9eefa3
-
SSDEEP
24576:UxRQjzTD/YM9mIqvJlk0/sFR1TbtXwiSwVizX5C1Wmmrj:YRYzTRMYT5btawQNCXmr
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1265015414048428153/VWNDpNZhZlKVwrtnGdcffRijkAKSf8EgngZwE8gCRJ90aR_H6BmlLSPeh2FFEO31-nto
Targets
-
-
Target
thegreatestexploits_services.exe
-
Size
1.2MB
-
MD5
aaaf987d8a27c805d177c6063b645be0
-
SHA1
64eda37efbbbc0cbedcd33f1594223d96d5b9803
-
SHA256
d864686dd77c81f89803fe21bc596b9188fd2b9ade88f618d60206a9e167953d
-
SHA512
5126f43fcf8e5f5f62f701b4575d7fd3dfc046614b0889d8dc73631ff876d5998d3f5994743847282270cfa20ba7911d206a41cba3e7327eb017f3fdbe9eefa3
-
SSDEEP
24576:UxRQjzTD/YM9mIqvJlk0/sFR1TbtXwiSwVizX5C1Wmmrj:YRYzTRMYT5btawQNCXmr
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1