General
-
Target
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd.exe
-
Size
227KB
-
Sample
240821-c3djhszdpk
-
MD5
57725f9d6fe867414481c9174b761df1
-
SHA1
498f57a097747aa80a83a2927a74d96c007028c6
-
SHA256
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd
-
SHA512
28de892b39cfb8e534c8bec5c2a8f277adb006499930fc6cf00251b5f157033d856dcb41dbc80375a61dc7ffe9eb109e1e00cbc42972b2202f8348daac7b6586
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4UcHZLxCqVUQhTuOLdG2Hb8e1mB1i:ooZOL+EP8UcHZLxCqVUQhTuOLd9Ec
Behavioral task
behavioral1
Sample
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1275486097744597052/DtRIVGRXq9EbCOLuFG54p-sV2rFhTNQaPmROPZ12uQi4zP31iRoNPEVEdATCJBi9SiEL
Targets
-
-
Target
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd.exe
-
Size
227KB
-
MD5
57725f9d6fe867414481c9174b761df1
-
SHA1
498f57a097747aa80a83a2927a74d96c007028c6
-
SHA256
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd
-
SHA512
28de892b39cfb8e534c8bec5c2a8f277adb006499930fc6cf00251b5f157033d856dcb41dbc80375a61dc7ffe9eb109e1e00cbc42972b2202f8348daac7b6586
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4UcHZLxCqVUQhTuOLdG2Hb8e1mB1i:ooZOL+EP8UcHZLxCqVUQhTuOLd9Ec
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1