General
-
Target
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
-
Size
227KB
-
Sample
240821-lnebya1enc
-
MD5
fe415b65db443f8d7e3aa075d79b4a72
-
SHA1
71fa4604b053ac55c7afa5a2d87ea0bcf8d0a116
-
SHA256
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0
-
SHA512
dc715d2c938f22446f155afa615adbee775eb7abdc688b204037eccadd435490be3ab0fe6b2a9d493cb357de5730e864ffb842c42dc3051671a7fbc9a9117fb8
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4W9YhFzQEbmCzFQMpi+b8e1mSPi:ooZOL+EP8W9YhFzQEbmCzFQMp9Pa
Behavioral task
behavioral1
Sample
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1275482598373593190/822q8uNdqFmLgXlYXoKPjV7DMeL26RKuj_LaaISL-Vt4NoZGxgATgb31ip5U3Qc65-i7
Targets
-
-
Target
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
-
Size
227KB
-
MD5
fe415b65db443f8d7e3aa075d79b4a72
-
SHA1
71fa4604b053ac55c7afa5a2d87ea0bcf8d0a116
-
SHA256
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0
-
SHA512
dc715d2c938f22446f155afa615adbee775eb7abdc688b204037eccadd435490be3ab0fe6b2a9d493cb357de5730e864ffb842c42dc3051671a7fbc9a9117fb8
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4W9YhFzQEbmCzFQMpi+b8e1mSPi:ooZOL+EP8W9YhFzQEbmCzFQMp9Pa
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1