umbral | 20c0ffaba031d92ff2346793e00bb14595bc2700ed31566454bf642672f3a0df | Triage

Sharing

General

Target

b58eafa327d4fb65a156dd947ef01f40N.exe
Size

231KB
Sample

240816-v4fz5sxdlf
MD5

b58eafa327d4fb65a156dd947ef01f40
SHA1

45140af55394b97cfc2f2d94846a1bcba54a61a5
SHA256

20c0ffaba031d92ff2346793e00bb14595bc2700ed31566454bf642672f3a0df
SHA512

7a764ce2f9bdcda59ca91cd6764c1e80f86434ae6708f54ee33ed4e9519b348d33b3384cb228a29614a3524ce84d231486f2715b6b9eb7655ed9b78e69cf6bbb
SSDEEP

6144:xloZMLrIkd8g+EtXHkv/iD4FGvXKaL7W8e1m06i:DoZ0L+EP8kvjwL/

Score

10^/10

umbral credential_access execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1269631276319772763/o25bvKHZdNWIKlxwZsWuchve_kJF08coX85MF90b1jtfeac64MGlyO-HPhpTLv4moYHD

Targets

- Target
  
  b58eafa327d4fb65a156dd947ef01f40N.exe
- Size
  
  231KB
- MD5
  
  b58eafa327d4fb65a156dd947ef01f40
- SHA1
  
  45140af55394b97cfc2f2d94846a1bcba54a61a5
- SHA256
  
  20c0ffaba031d92ff2346793e00bb14595bc2700ed31566454bf642672f3a0df
- SHA512
  
  7a764ce2f9bdcda59ca91cd6764c1e80f86434ae6708f54ee33ed4e9519b348d33b3384cb228a29614a3524ce84d231486f2715b6b9eb7655ed9b78e69cf6bbb
- SSDEEP
  
  6144:xloZMLrIkd8g+EtXHkv/iD4FGvXKaL7W8e1m06i:DoZ0L+EP8kvjwL/
Score

10^/10

umbral credential_access execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessexecutionspywarestealer

behavioral2

umbralcredential_accessexecutionspywarestealer