General
-
Target
750db35c728176edd361bee975326a5b1a270a835be7b272c68175f55d247029
-
Size
231KB
-
Sample
240806-cmz3kszglg
-
MD5
e5fe1871688f8786189ec49cc8124520
-
SHA1
e2de4a187d3cc99969e888819f6cf2bf5c78e90d
-
SHA256
750db35c728176edd361bee975326a5b1a270a835be7b272c68175f55d247029
-
SHA512
095f4398d1af600565bf8e29fc8bf0acbbff1a3729a3b4f531f597342afeed375f248ab5c4b3e589e41fb5305702fbc07b42df9b3320502c9abe3ba4d8a7f30c
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD43upiLxCqVsQhTuOLPtb8e1m3Ai:DoZtL+EP83upiLxCqVsQhTuOL1mZ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1269879410761269330/1ip1ZQS6gYdoB-Ta9pQahjff4RjJTrq5zqhSwDiEfc3rFcDTC-14fMTID6Z4bTmCa1cN
Targets
-
-
Target
750db35c728176edd361bee975326a5b1a270a835be7b272c68175f55d247029
-
Size
231KB
-
MD5
e5fe1871688f8786189ec49cc8124520
-
SHA1
e2de4a187d3cc99969e888819f6cf2bf5c78e90d
-
SHA256
750db35c728176edd361bee975326a5b1a270a835be7b272c68175f55d247029
-
SHA512
095f4398d1af600565bf8e29fc8bf0acbbff1a3729a3b4f531f597342afeed375f248ab5c4b3e589e41fb5305702fbc07b42df9b3320502c9abe3ba4d8a7f30c
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD43upiLxCqVsQhTuOLPtb8e1m3Ai:DoZtL+EP83upiLxCqVsQhTuOL1mZ
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1