General

  • Target

    0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe

  • Size

    227KB

  • Sample

    240821-lnebya1enc

  • MD5

    fe415b65db443f8d7e3aa075d79b4a72

  • SHA1

    71fa4604b053ac55c7afa5a2d87ea0bcf8d0a116

  • SHA256

    0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0

  • SHA512

    dc715d2c938f22446f155afa615adbee775eb7abdc688b204037eccadd435490be3ab0fe6b2a9d493cb357de5730e864ffb842c42dc3051671a7fbc9a9117fb8

  • SSDEEP

    6144:+loZM9rIkd8g+EtXHkv/iD4W9YhFzQEbmCzFQMpi+b8e1mSPi:ooZOL+EP8W9YhFzQEbmCzFQMp9Pa

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1275482598373593190/822q8uNdqFmLgXlYXoKPjV7DMeL26RKuj_LaaISL-Vt4NoZGxgATgb31ip5U3Qc65-i7

Targets

    • Target

      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe

    • Size

      227KB

    • MD5

      fe415b65db443f8d7e3aa075d79b4a72

    • SHA1

      71fa4604b053ac55c7afa5a2d87ea0bcf8d0a116

    • SHA256

      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0

    • SHA512

      dc715d2c938f22446f155afa615adbee775eb7abdc688b204037eccadd435490be3ab0fe6b2a9d493cb357de5730e864ffb842c42dc3051671a7fbc9a9117fb8

    • SSDEEP

      6144:+loZM9rIkd8g+EtXHkv/iD4W9YhFzQEbmCzFQMpi+b8e1mSPi:ooZOL+EP8W9YhFzQEbmCzFQMp9Pa

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks