General
-
Target
SilverBullet+1.1.3.exe
-
Size
246KB
-
Sample
240726-zbry6awekf
-
MD5
cbcd362933c6c8a10a0a6d8c40bbb66a
-
SHA1
4fc0ff8ec329b58c4220a577f694b96be0b874f8
-
SHA256
15e11de5fdc18d4d1a9fe45e494887fe04087aae5a215c1bff4f8fa36b86e7fb
-
SHA512
da01c53ac833edbbb5abbefa5a5da4de0cdd10c9c7469b58db6f14470bbfa6b19c2b335759045402807c549a2fc36495d5d0a4b0ce41cb12a203e2e3d0b1b617
-
SSDEEP
6144:JloZM+rIkd8g+EtXHkv/iD4z6F+cCFdWcj+ctBIKzb8e1ma5i:7oZtL+EP8z6F+cCFdWcj+ctBIMFg
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1265986630452379690/BBJf2AnivR3HxpNT7syZNgB_QNXpHUFPu0irvSlMolVMqrJcVIasxSp0wU30zh7yjlEJ
Targets
-
-
Target
SilverBullet+1.1.3.exe
-
Size
246KB
-
MD5
cbcd362933c6c8a10a0a6d8c40bbb66a
-
SHA1
4fc0ff8ec329b58c4220a577f694b96be0b874f8
-
SHA256
15e11de5fdc18d4d1a9fe45e494887fe04087aae5a215c1bff4f8fa36b86e7fb
-
SHA512
da01c53ac833edbbb5abbefa5a5da4de0cdd10c9c7469b58db6f14470bbfa6b19c2b335759045402807c549a2fc36495d5d0a4b0ce41cb12a203e2e3d0b1b617
-
SSDEEP
6144:JloZM+rIkd8g+EtXHkv/iD4z6F+cCFdWcj+ctBIKzb8e1ma5i:7oZtL+EP8z6F+cCFdWcj+ctBIMFg
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1