General
-
Target
https://filelu.com/gkf7je1dsruo
-
Sample
240820-qekjtatbrc
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1273246180444213339/WD3g0fluQYzUEWJLGktGciLgxDNO7vpGOtwr_MbBkj1p4dQ1E_yVhpKFXenzjoh7wM3K
https://discord.com/api/webhooks/1271643069317644288/Yi3JdjrXJ2C95angH0OndOPpWxWydgLtEZVOUV6s32Pf81SxCWBNaV19zjvPX6j0yW0O
Targets
-
-
Target
https://filelu.com/gkf7je1dsruo
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3