Overview

overview

10

Static

static

10

Dead Steal...er.exe

windows7-x64

10

Dead Steal...er.exe

windows10-2004-x64

10

Dead Stealer/dead.exe

windows7-x64

10

Dead Stealer/dead.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1b9385d02d7257137ac792f32b3109b02a01c720de368c1f334ec8f54638f795

  • Size

    200KB

  • Sample

    240810-fb9peszgma

  • MD5

    0d95c0b8381a7eea1b391c0c4c1b705a

  • SHA1

    b9777d1eb06902c161f0a88925de3c49d61dadf1

  • SHA256

    1b9385d02d7257137ac792f32b3109b02a01c720de368c1f334ec8f54638f795

  • SHA512

    1d86bfca0e998ce7e6a67eb37189d18f3c66e311b7a2ec393e7f7549f7f5467fed4c10e4965ae77d0799aad2e9d72bc6c62a5e9cc3547eaae1aa5aaaaccc9852

  • SSDEEP

    6144:oXGhaBEyvGC8UasGt9dWiwZIUnD16gXIDS18Q56BB:kGhByeuaRWxIUp6PDOjMBB

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1267112581206904925/Gkx9-NA-5FKJL-3Ehaqtj5lpmNzG-yFwxfY66lVxsyoKGIcae-bbaUO7d-hvSLDQU1-n

Targets

    • Target

      Dead Stealer/dead-builder.exe

    • Size

      254KB

    • MD5

      a57179fa58b196077b35da7eb4032a18

    • SHA1

      92a6d5ac92fe534fa1c5cdb45bc95135ef3effad

    • SHA256

      4fec5552f2a39ddd4bdcfd316ac96ecf9f6a413fb3a674d058d1695b88c8db5f

    • SHA512

      d66f89a6f1b76e64de7f163a9cf4c31b1fcd2b1129800c1659f50d2a23e67e93820f64624ebacd25eeee193fee6e96a849f42687f5b4be9bdf8cab53f7ef31d7

    • SSDEEP

      6144:K4oZoAeVHPtHgTIAaZgCwDx7axHU0unC28ejI8x7:xoZyHPvWCwjXCsIM

    Score
    10/10
    umbralcredential_accessdiscoveryexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Dead Stealer/dead.payload

    • Size

      254KB

    • MD5

      41a555bbc081356100cafdd006d3c096

    • SHA1

      bf4f81ed8b698b9865098fccabff0bbbe3ca3255

    • SHA256

      7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8

    • SHA512

      1bc00d609264c523ab114e845a26edb9a611b927a583730880916f04efeee9c37c4529559a47854e422ab8530ab8edbb87754a755f50939c29e5a14e4b74efbc

    • SSDEEP

      6144:+4oZo8KbOUtoAXAEeDh0x7axHU3FmRaW8ejI82V:9oZAOUo90ufIl

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks