General
-
Target
Umbral.exe
-
Size
231KB
-
Sample
240819-l9cega1gll
-
MD5
2f8f9edad83fe12a0e27f2f774f59d97
-
SHA1
0501724be9ae75f5b22e7ab90d7beb71dcc9f8af
-
SHA256
e9d12a502f21205c38e5d593c9bfa6f22045e7270fec4d27e027c29b9a6dcb6c
-
SHA512
94f491514d8a0333b0a62d368d62a702ec1018ca2efb3c61e952adf5244e489057d675250df0bc666665cd9cdec128a163a11745884479439e84be6402bdac08
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4FRMuyMS1Nmhzus9x4Wnb8e1mzAi:DoZtL+EP8FRMuyMS1Nmhzus9x4QIZ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1274408641465684134/nn33h2OBDOMhn0IA9dgLWsKAGOyjYByP4r3MN2lzNmVAvTUfsCpRybi3Jx6Wz5bEyNNb
Targets
-
-
Target
Umbral.exe
-
Size
231KB
-
MD5
2f8f9edad83fe12a0e27f2f774f59d97
-
SHA1
0501724be9ae75f5b22e7ab90d7beb71dcc9f8af
-
SHA256
e9d12a502f21205c38e5d593c9bfa6f22045e7270fec4d27e027c29b9a6dcb6c
-
SHA512
94f491514d8a0333b0a62d368d62a702ec1018ca2efb3c61e952adf5244e489057d675250df0bc666665cd9cdec128a163a11745884479439e84be6402bdac08
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4FRMuyMS1Nmhzus9x4Wnb8e1mzAi:DoZtL+EP8FRMuyMS1Nmhzus9x4QIZ
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1