General
-
Target
7b4cd9478c848e355d91674e959c77b0N.exe
-
Size
229KB
-
Sample
240821-dj4r2a1brp
-
MD5
7b4cd9478c848e355d91674e959c77b0
-
SHA1
84a02dcba4204f3732e66f62b7de540dbcbdee7b
-
SHA256
4feb640b309beb1de84d7d7b4894831692eb2e24da68fafa644ff928499d4a44
-
SHA512
500b2d38d07dd6a43a6dd7248324ff2529f130e539e104148db3a5ca0d17566138688c0df13b4aa4f77297c8579ce1961011e4977aa4d5377fcab6a207ac7457
-
SSDEEP
6144:9loZM3fsXtioRkts/cnnK6cMlfdxJYe5xyBXKYZd8CNub8e1mqni:foZ1tlRk83MlfdxJYe5xyBXKYZd8Cky
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1257663056910090281/aq9xui9Y2270fPdZenlp6VoPaHpqD2TO9wHNMNJ7xwuNEixC_3X9pu4qCJMBqDdrC4E-
Targets
-
-
Target
7b4cd9478c848e355d91674e959c77b0N.exe
-
Size
229KB
-
MD5
7b4cd9478c848e355d91674e959c77b0
-
SHA1
84a02dcba4204f3732e66f62b7de540dbcbdee7b
-
SHA256
4feb640b309beb1de84d7d7b4894831692eb2e24da68fafa644ff928499d4a44
-
SHA512
500b2d38d07dd6a43a6dd7248324ff2529f130e539e104148db3a5ca0d17566138688c0df13b4aa4f77297c8579ce1961011e4977aa4d5377fcab6a207ac7457
-
SSDEEP
6144:9loZM3fsXtioRkts/cnnK6cMlfdxJYe5xyBXKYZd8CNub8e1mqni:foZ1tlRk83MlfdxJYe5xyBXKYZd8Cky
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1