umbral | e1663465701c284caff2ef4acd4649efb4aae0b9d935da69766dca2c019bcd0f | Triage

Sharing

General

Target

file_out.exe
Size

214KB
Sample

240806-tm21lstdjr
MD5

a23841ed39cc3b09d4e731a80e2d70a6
SHA1

89f95246610063d67db46554f9d4ac61b8c45e02
SHA256

e1663465701c284caff2ef4acd4649efb4aae0b9d935da69766dca2c019bcd0f
SHA512

1a6c9478beccf81c1371bb59a7c7854d7f19481747705419e5816e42271b526469c74e06b66910514cc5385a69819cc86016ede8b0ccd970976ac59d52afffa5
SSDEEP

3072:1lP/chtWkOIGSSvDvPnsUSCpjli8vRXfOZ44lllllj0em1Sl8eN7bqXBptXT5j/:bcyHIGNsUSUBvRty8eNH8pR

Score

10^/10

umbral credential_access execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1087006813825802300/3wUHLU9aZjQ8FO3D6nxGMiHOkFOXdcgPlzsn0-BiZ65SuyOgTOcIixqUH-JEOCn0w142

Targets

- Target
  
  file_out.exe
- Size
  
  214KB
- MD5
  
  a23841ed39cc3b09d4e731a80e2d70a6
- SHA1
  
  89f95246610063d67db46554f9d4ac61b8c45e02
- SHA256
  
  e1663465701c284caff2ef4acd4649efb4aae0b9d935da69766dca2c019bcd0f
- SHA512
  
  1a6c9478beccf81c1371bb59a7c7854d7f19481747705419e5816e42271b526469c74e06b66910514cc5385a69819cc86016ede8b0ccd970976ac59d52afffa5
- SSDEEP
  
  3072:1lP/chtWkOIGSSvDvPnsUSCpjli8vRXfOZ44lllllj0em1Sl8eN7bqXBptXT5j/:bcyHIGNsUSUBvRty8eNH8pR
Score

10^/10

umbral credential_access execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessexecutionspywarestealer

behavioral2

umbralcredential_accessexecutionspywarestealer