General
-
Target
both executors.sfx.exe
-
Size
20.3MB
-
Sample
240810-a6ngsaxflq
-
MD5
031e8de494548e53e70a0fb6b663eda4
-
SHA1
0d5c7733fefbaec2fcb7b65f827ac555aadcaebf
-
SHA256
cad2b6b2e9fbc51734757d518386ce7940fb6d0bfa887268d313faa7e19d4ec7
-
SHA512
8915d0cae49f55166546496940721293a5bbcf14bfd337022458d944d410b42b1ae4768d062c8f2eafec4380e346f59bfe8a676ab2cafcd84956e53eb2a4d064
-
SSDEEP
393216:9OrF7Xbsfeg2E3Zr62Q07vnUPHzWjtb2c75AOxeOlNUnBS8T/RnB:9ORI328Zr6JtTWjtb2c75AOI7n0+/RnB
Malware Config
Targets
-
-
Target
both executors.sfx.exe
-
Size
20.3MB
-
MD5
031e8de494548e53e70a0fb6b663eda4
-
SHA1
0d5c7733fefbaec2fcb7b65f827ac555aadcaebf
-
SHA256
cad2b6b2e9fbc51734757d518386ce7940fb6d0bfa887268d313faa7e19d4ec7
-
SHA512
8915d0cae49f55166546496940721293a5bbcf14bfd337022458d944d410b42b1ae4768d062c8f2eafec4380e346f59bfe8a676ab2cafcd84956e53eb2a4d064
-
SSDEEP
393216:9OrF7Xbsfeg2E3Zr62Q07vnUPHzWjtb2c75AOxeOlNUnBS8T/RnB:9ORI328Zr6JtTWjtb2c75AOI7n0+/RnB
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1