General
-
Target
everything.exe
-
Size
231KB
-
Sample
240811-nrah9ssbmb
-
MD5
5e487f250a2b0c04f06f37b6d66b29ba
-
SHA1
68d5c6fcf314df40abf53b3462cb76dce9af887e
-
SHA256
3dec6623a9f5488bc8fc4a3185cddd03bdda73247063875943a79dd75c5071b6
-
SHA512
1f428c57ee5d53fbe590f12f3e345715b528c5aaa5e971e30fe760d9bf8660a09c1dbf7f94b73c5131c4261163e2fb6932a71ccf67b1a319f0dd1b06af823e54
-
SSDEEP
6144:hloZM+rIkd8g+EtXHkv/iD4EmQIkqNlOhLWU1pAe4dnb8e1mAYVi:ToZtL+EP8EmQIkqNlOhLWU1pAdpd
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1271859202385510516/pTwQpNwcygYE0wG_rK1k-m1UL93sqpTzx3wjCGeEq8TF4IINEpBCY1VQKYVlKstu2UV9
Targets
-
-
Target
everything.exe
-
Size
231KB
-
MD5
5e487f250a2b0c04f06f37b6d66b29ba
-
SHA1
68d5c6fcf314df40abf53b3462cb76dce9af887e
-
SHA256
3dec6623a9f5488bc8fc4a3185cddd03bdda73247063875943a79dd75c5071b6
-
SHA512
1f428c57ee5d53fbe590f12f3e345715b528c5aaa5e971e30fe760d9bf8660a09c1dbf7f94b73c5131c4261163e2fb6932a71ccf67b1a319f0dd1b06af823e54
-
SSDEEP
6144:hloZM+rIkd8g+EtXHkv/iD4EmQIkqNlOhLWU1pAe4dnb8e1mAYVi:ToZtL+EP8EmQIkqNlOhLWU1pAdpd
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1