General
-
Target
b5uEJHZB6Rl.exe
-
Size
231KB
-
Sample
240805-ttmjhavgrg
-
MD5
438289fb9c72ed39bf5497f9af21ec7a
-
SHA1
8120391ecb41ed6a4c6ef0b259776e59311d6997
-
SHA256
ea4cb7c7b4cfb2fcc04d1c3f96b20c26638e69a97b15cae14659f0d6afb78f85
-
SHA512
3647907fa2d503a242ef07cb20b081444b75e0c618a91232c8e77903b4b6aa823b8a7cbe07a45e02591fe48fdd23b5eae88565006b85863c0a5f6e42d7589fe0
-
SSDEEP
6144:YloZM+rIkd8g+EtXHkv/iD4Bs4DdLocD/abtIEx6tb8e1mTiu:GoZtL+EP8Bs4DdLocD/abtIExq1
Behavioral task
behavioral1
Sample
b5uEJHZB6Rl.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1225264880039235738/46bNxRt60w9YjuGcjqkvDLT2Saa0gXhoe7P2-CbuUHwdxfwONEkNG92CHxRK6S67a3Bd
Targets
-
-
Target
b5uEJHZB6Rl.exe
-
Size
231KB
-
MD5
438289fb9c72ed39bf5497f9af21ec7a
-
SHA1
8120391ecb41ed6a4c6ef0b259776e59311d6997
-
SHA256
ea4cb7c7b4cfb2fcc04d1c3f96b20c26638e69a97b15cae14659f0d6afb78f85
-
SHA512
3647907fa2d503a242ef07cb20b081444b75e0c618a91232c8e77903b4b6aa823b8a7cbe07a45e02591fe48fdd23b5eae88565006b85863c0a5f6e42d7589fe0
-
SSDEEP
6144:YloZM+rIkd8g+EtXHkv/iD4Bs4DdLocD/abtIEx6tb8e1mTiu:GoZtL+EP8Bs4DdLocD/abtIExq1
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1