General
-
Target
rawr.exe
-
Size
227KB
-
Sample
240820-d9p2kawapl
-
MD5
a91205f6727f1c3b2f6383b90a364ed2
-
SHA1
f8ee36a1cffba6d008f3db793d73c661e798ab3b
-
SHA256
e9f53a85ccc391f38f8e61a652f9bc828ba30c5716cbb20a279997f47332739b
-
SHA512
feac77579bf151f91ec897a684929ad8b5897a575a45081b27d583c027343f96590a20ceae0662d11cb8ac2df36041ed2a7f9422662cfdcf4cf555649464c36c
-
SSDEEP
6144:eloZM+rIkd8g+EtXHkv/iD4x6ek8il92hDe8NhoNl+lj8e1m1i:IoZtL+EP8kek8il92hDe8Nhoapx
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1268794193321525280/-MtzATHm9H0Ql-oJM2T2M9v_32vsSpeIbom8dQQF9ax-tXdpjKHa9b68xGcy80W5k4pa
Targets
-
-
Target
rawr.exe
-
Size
227KB
-
MD5
a91205f6727f1c3b2f6383b90a364ed2
-
SHA1
f8ee36a1cffba6d008f3db793d73c661e798ab3b
-
SHA256
e9f53a85ccc391f38f8e61a652f9bc828ba30c5716cbb20a279997f47332739b
-
SHA512
feac77579bf151f91ec897a684929ad8b5897a575a45081b27d583c027343f96590a20ceae0662d11cb8ac2df36041ed2a7f9422662cfdcf4cf555649464c36c
-
SSDEEP
6144:eloZM+rIkd8g+EtXHkv/iD4x6ek8il92hDe8NhoNl+lj8e1m1i:IoZtL+EP8kek8il92hDe8Nhoapx
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1