General

  • Target

    crackgroup.exe

  • Size

    231KB

  • Sample

    240804-n3grqayeqd

  • MD5

    2d1b35b5d718c37ac6cf1daf74668c5c

  • SHA1

    3db5006dbbb6cb3eb4a999823aebe3cd34e883f7

  • SHA256

    0d40285ecea52026970582f409dc872e807b08bff8dae8d80586abb970561390

  • SHA512

    118b13219915396427a2c25e1516cbe441ddad08cca0038ddb2a35967bb1ff2017fd6de554a95db68caf91119bee4076df61461ed35ceef8f8b0f07b5c930752

  • SSDEEP

    6144:RloZMNrIkd8g+EtXHkv/iD48O94vFuW568VHCCHkqb8e1m8Mdi:joZmL+EP88O94vFuW568VHCCHrPM0

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1269231535564001326/-DNI1DVGwiK_7lLyYmcI6Sv3019WqD3npLPhCO2Tq59p_TFJXb7iYY74NuLR9AOskph3

Targets

    • Target

      crackgroup.exe

    • Size

      231KB

    • MD5

      2d1b35b5d718c37ac6cf1daf74668c5c

    • SHA1

      3db5006dbbb6cb3eb4a999823aebe3cd34e883f7

    • SHA256

      0d40285ecea52026970582f409dc872e807b08bff8dae8d80586abb970561390

    • SHA512

      118b13219915396427a2c25e1516cbe441ddad08cca0038ddb2a35967bb1ff2017fd6de554a95db68caf91119bee4076df61461ed35ceef8f8b0f07b5c930752

    • SSDEEP

      6144:RloZMNrIkd8g+EtXHkv/iD48O94vFuW568VHCCHkqb8e1m8Mdi:joZmL+EP88O94vFuW568VHCCHrPM0

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks