Overview

overview

10

Static

static

10

citrontopp...uh.exe

windows7-x64

10

citrontopp...uh.exe

windows10-2004-x64

10

citrontopp...uh.exe

windows7-x64

7

citrontopp...uh.exe

windows10-2004-x64

9

citrontopp...on.exe

windows7-x64

10

citrontopp...on.exe

windows10-2004-x64

10

citrontopp...on.exe

windows7-x64

10

citrontopp...on.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b64b08789791f49a88c79ad4c0eae5628fe7547489f958312f53c95f23403ff

  • Size

    10.2MB

  • Sample

    240812-lky7yazand

  • MD5

    187ec6be5a50e8a2297c01572fa530a7

  • SHA1

    bf99963dccd7bbd5bb10ec9c3fff5d3698c7654d

  • SHA256

    4b64b08789791f49a88c79ad4c0eae5628fe7547489f958312f53c95f23403ff

  • SHA512

    34f9e6248874a277d6c25472d110ebc72fe69b783ca5cf288bed7376e71ef3ff98f4c23f89f4e538da66210179cd19c5cbc2308585db389c51ee25e68501a9a3

  • SSDEEP

    196608:lKsYOJ2/S+rSQxCCpbEaxK/Q6iuI5uOf8lwTSd4NBLSeM3HcZs/Dv:gDOwS+4CpAaxqQ6ip5x43d8Lgeg

Score
10/10
umbralcredential_accessdiscoveryexecutionpyinstallerspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1271643069317644288/Yi3JdjrXJ2C95angH0OndOPpWxWydgLtEZVOUV6s32Pf81SxCWBNaV19zjvPX6j0yW0O

Targets

    • Target

      citrontoppest/citrontoppest/Citronyuh.exe

    • Size

      227KB

    • MD5

      867db374eb53605b40be55b3c1541e3c

    • SHA1

      26999780ea28d4902f2d4350bbbf5dab63591fd5

    • SHA256

      ca03916c2b0b804c70ab17755265b3db48fa97480aad3494764f45a1e746bb31

    • SHA512

      5210541fc651210c6aae04c78347db84c8e09a4f320e072f390d63fd03587d2764548ca82b41e23631457e852b093e5af3152275b636d55aa58212d6b48e14a0

    • SSDEEP

      6144:eloZMLrIkd8g+EtXHkv/iD4emzBywvrYyhkijD6C+b8e1m8i:IoZ0L+EP8emzBywvrYyhkijD6R6

    Score
    10/10
    umbralcredential_accessexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      citrontoppest/citrontoppest/citrontoppest/citronuh.exe

    • Size

      10.4MB

    • MD5

      3d7eba8252505d427990ba538c281293

    • SHA1

      673a164fb8c8e9526ef90b103d1514decbec3e43

    • SHA256

      825bd8a21087e0a8eb45f9c0891f3258704667b137630387df17a17fd41635c2

    • SHA512

      bf6035fb59e51e96592b321ff4502ffe37637b003417e37becc8e19b7326fef46cfc54d89b0a5d32084d67d1170f21032a9a71e565f51e2b0291a2f187c60613

    • SSDEEP

      196608:B8Ek2v8ZVqhxFdQmR8dA6ly8Qnf2ODjMnGydShTlXSEPuxXurbOiWoMCkHm:eEk+qVqNdQJl6F3MnG3xlCOuBurbfZaG

    Score
    9/10
    credential_accessdiscoveryspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      citrontoppest/citrontoppest/citrontoppest/updatechecker/updatecheckercitron.exe

    • Size

      227KB

    • MD5

      a6db1722b4ed09cd06fbdf6f80df47da

    • SHA1

      1fe86fceb4884cb37c4187591ccecd7a4c4d9c15

    • SHA256

      ed1deb13b32c20b6cd35d50351c78d3729315dac5da6f5795dae2c14bed8520b

    • SHA512

      61542031f6f60fca814400c9ec21c0eefa15422646c30b5b3192231a4d5a5845681f7d619818fa0c7c448f860101790d7971c80aa90637e58956b33023079785

    • SSDEEP

      6144:+loZMLrIkd8g+EtXHkv/iD4cYiL+cCFdWQj+ctBIpHb8e1mUi:ooZ0L+EP8cYiL+cCFdWQj+ctBIhK

    Score
    10/10
    umbralcredential_accessexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      citrontoppest/citrontoppest/updatechecker/updatecheckercitron.exe

    • Size

      227KB

    • MD5

      a6db1722b4ed09cd06fbdf6f80df47da

    • SHA1

      1fe86fceb4884cb37c4187591ccecd7a4c4d9c15

    • SHA256

      ed1deb13b32c20b6cd35d50351c78d3729315dac5da6f5795dae2c14bed8520b

    • SHA512

      61542031f6f60fca814400c9ec21c0eefa15422646c30b5b3192231a4d5a5845681f7d619818fa0c7c448f860101790d7971c80aa90637e58956b33023079785

    • SSDEEP

      6144:+loZMLrIkd8g+EtXHkv/iD4cYiL+cCFdWQj+ctBIpHb8e1mUi:ooZ0L+EP8cYiL+cCFdWQj+ctBIhK

    Score
    10/10
    umbralcredential_accessexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks