General

  • Target

    988e18df0a992354434f712880cc3fc7b2037392736138be3b8758bd889065fb

  • Size

    80KB

  • Sample

    240806-q5papavckc

  • MD5

    9e423431f76b9c8bca70c52f24b114b6

  • SHA1

    b708c68d85a0ccda3f2e6d003f6e79510b1d751f

  • SHA256

    988e18df0a992354434f712880cc3fc7b2037392736138be3b8758bd889065fb

  • SHA512

    911101f81acae115e19cd6d18e48470e508ebb28d2d890493419244c844d9da38b4241d3fc27b4013a57d74982d07d2be28742f1ef27a3e2de826ae2b598408b

  • SSDEEP

    1536:iEeuZoNt1RLvd2p4z7vQyxt19+8eeZfh/qz9jxbFjk8pn:iKiDvd2gvQyj199niz9jxBj7

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1269544483859599445/e2idHKRsjakk7thlYC4A6RFw8GsohFMmJRGGfCEcDvdxIcB5zC8g3vIMNBfMP0varopk

Targets

    • Target

      Cheat.exe

    • Size

      229KB

    • MD5

      57b52820e80bbf21cb91858308b64a43

    • SHA1

      681de078a2bab05ff51d6b211a6136cd0a4cf5c5

    • SHA256

      cad17c73e90686eee88e8e73039d69d0969a544a20d324cb30efe4849bf22be2

    • SHA512

      981daa6346b6887d92fc77e865a9de661ebdf5216cca2c05a2817b28833a02a07ae5c64d181990dd0d86971e740a44e709b058a50cbef146066e00bce6628454

    • SSDEEP

      6144:tloZMcrIkd8g+EtXHkv/iD49XVt8il92+De8NhoMi2b8e1m4ohi:voZrL+EP89XVt8il92+De8NhoQG4

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks