Overview

overview

10

Static

static

10

Krampus.rar

windows11-21h2-x64

3

Krampus/b5...Rl.exe

windows11-21h2-x64

10

Krampus/kr...6c.txt

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Krampus.rar

  • Size

    79KB

  • Sample

    240817-glb2kstdjj

  • MD5

    75feae218b03a45d1be3f932f353db7b

  • SHA1

    2eef6e858b38c3c5fece824be164debe55e66f2c

  • SHA256

    ed5fe58c45c8b0e48c4c9405ba8065234090e19e145465117e0d2342f43fd872

  • SHA512

    f13949102f6d6117af5f976cd60dc95315b2be20379d2f7bf4606feffa795a69238d1a84f30288d7e1b45fb407dca583bd17cc9cae3bf129feeb4c2526a0a831

  • SSDEEP

    1536:QLU12qQoZKf09z7AgmdFlLLpfOi96k3wu/ad5Z3uxj7TOpYrJtJ4:QmhgqQgmVLx925ZYX/e

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1225264880039235738/46bNxRt60w9YjuGcjqkvDLT2Saa0gXhoe7P2-CbuUHwdxfwONEkNG92CHxRK6S67a3Bd

Targets

    • Target

      Krampus.rar

    • Size

      79KB

    • MD5

      75feae218b03a45d1be3f932f353db7b

    • SHA1

      2eef6e858b38c3c5fece824be164debe55e66f2c

    • SHA256

      ed5fe58c45c8b0e48c4c9405ba8065234090e19e145465117e0d2342f43fd872

    • SHA512

      f13949102f6d6117af5f976cd60dc95315b2be20379d2f7bf4606feffa795a69238d1a84f30288d7e1b45fb407dca583bd17cc9cae3bf129feeb4c2526a0a831

    • SSDEEP

      1536:QLU12qQoZKf09z7AgmdFlLLpfOi96k3wu/ad5Z3uxj7TOpYrJtJ4:QmhgqQgmVLx925ZYX/e

    Score
    3/10
    behavioral1

    • Target

      Krampus/b5uEJHZB6Rl.exe

    • Size

      231KB

    • MD5

      438289fb9c72ed39bf5497f9af21ec7a

    • SHA1

      8120391ecb41ed6a4c6ef0b259776e59311d6997

    • SHA256

      ea4cb7c7b4cfb2fcc04d1c3f96b20c26638e69a97b15cae14659f0d6afb78f85

    • SHA512

      3647907fa2d503a242ef07cb20b081444b75e0c618a91232c8e77903b4b6aa823b8a7cbe07a45e02591fe48fdd23b5eae88565006b85863c0a5f6e42d7589fe0

    • SSDEEP

      6144:YloZM+rIkd8g+EtXHkv/iD4Bs4DdLocD/abtIEx6tb8e1mTiu:GoZtL+EP8Bs4DdLocD/abtIExq1

    Score
    10/10
    umbralcredential_accessdiscoveryexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      Krampus/krampusexec-65cafadfc556c.txt

    • Size

      398B

    • MD5

      a1a8eeadd309b1167d848222712ad8fe

    • SHA1

      70267e1f57a5c60919ca8014a160b0815f771707

    • SHA256

      e78865cb4a3c803ff4d54491e6f38505bfcb13450b5ec053f09e07bc77a73ce5

    • SHA512

      310833ec3d56979bfcabc5b41963671df0815ae2efd1dff9983e97246810e795a2938dbeb2793a15ffd6a35255564cd4adbda97dd3e36d7ecf30b61b558d2475

    Score
    3/10
    behavioral3

MITRE ATT&CK Enterprise v15

Tasks