umbral | 4916686177420dca945e81aebaf2fc098c21ddb74fbbf9d0f6f2adaf37f218e8 | Triage

Resubmissions

09-08-2024 17:20

240809-vwc9aataqn 10

09-08-2024 17:16

240809-vtg5fsxblb 10

08-08-2024 19:08

240808-xtpkmsxgmn 10

Sharing

General

Target

Nowatermarks.exe
Size

227KB
Sample

240809-vtg5fsxblb
MD5

926ac9e42778634f5c2580a913d83f62
SHA1

e36c92f542a4c010c9cbbdb91df84ec2e16ac62f
SHA256

4916686177420dca945e81aebaf2fc098c21ddb74fbbf9d0f6f2adaf37f218e8
SHA512

e415af55a761d060dfd56f77491d853edb806c5e2337460fb7df8ac76f986e7a89904caa913b56fcbf19e0f3e084a71ef1a13336cf7aa73cdd52c342ff8375c6
SSDEEP

6144:+loZMCrIkd8g+EtXHkv/iD475jhDJ6idOIJbGmTLFb8e1mYi:ooZZL+EP875jhDJ6idOIJbGmTJu

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1271181788311457842/_KRSDrxMDpDT4oPD3ryToXuvZ_BZWmh3fVQDMk6lnIe8xX48U6nAWKJ6cFF3-5ojFCxp

Targets

- Target
  
  Nowatermarks.exe
- Size
  
  227KB
- MD5
  
  926ac9e42778634f5c2580a913d83f62
- SHA1
  
  e36c92f542a4c010c9cbbdb91df84ec2e16ac62f
- SHA256
  
  4916686177420dca945e81aebaf2fc098c21ddb74fbbf9d0f6f2adaf37f218e8
- SHA512
  
  e415af55a761d060dfd56f77491d853edb806c5e2337460fb7df8ac76f986e7a89904caa913b56fcbf19e0f3e084a71ef1a13336cf7aa73cdd52c342ff8375c6
- SSDEEP
  
  6144:+loZMCrIkd8g+EtXHkv/iD475jhDJ6idOIJbGmTLFb8e1mYi:ooZZL+EP875jhDJ6idOIJbGmTJu
Score

10^/10

umbral credential_access discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessdiscoveryexecutionspywarestealer

behavioral2

umbralcredential_accessexecutionspywarestealer