umbral | 0d40285ecea52026970582f409dc872e807b08bff8dae8d80586abb970561390 | Triage

Sharing

General

Target

crackgroup.exe
Size

231KB
Sample

240804-n2ynvayepf
MD5

2d1b35b5d718c37ac6cf1daf74668c5c
SHA1

3db5006dbbb6cb3eb4a999823aebe3cd34e883f7
SHA256

0d40285ecea52026970582f409dc872e807b08bff8dae8d80586abb970561390
SHA512

118b13219915396427a2c25e1516cbe441ddad08cca0038ddb2a35967bb1ff2017fd6de554a95db68caf91119bee4076df61461ed35ceef8f8b0f07b5c930752
SSDEEP

6144:RloZMNrIkd8g+EtXHkv/iD48O94vFuW568VHCCHkqb8e1m8Mdi:joZmL+EP88O94vFuW568VHCCHrPM0

Score

10^/10

umbral credential_access execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1269231535564001326/-DNI1DVGwiK_7lLyYmcI6Sv3019WqD3npLPhCO2Tq59p_TFJXb7iYY74NuLR9AOskph3

Targets

- Target
  
  crackgroup.exe
- Size
  
  231KB
- MD5
  
  2d1b35b5d718c37ac6cf1daf74668c5c
- SHA1
  
  3db5006dbbb6cb3eb4a999823aebe3cd34e883f7
- SHA256
  
  0d40285ecea52026970582f409dc872e807b08bff8dae8d80586abb970561390
- SHA512
  
  118b13219915396427a2c25e1516cbe441ddad08cca0038ddb2a35967bb1ff2017fd6de554a95db68caf91119bee4076df61461ed35ceef8f8b0f07b5c930752
- SSDEEP
  
  6144:RloZMNrIkd8g+EtXHkv/iD48O94vFuW568VHCCHkqb8e1m8Mdi:joZmL+EP88O94vFuW568VHCCHrPM0
Score

10^/10

umbral credential_access execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessexecutionspywarestealer

behavioral2

umbralcredential_accessexecutionspywarestealer