General
-
Target
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd.exe
-
Size
227KB
-
Sample
240821-nl85mszbqr
-
MD5
57725f9d6fe867414481c9174b761df1
-
SHA1
498f57a097747aa80a83a2927a74d96c007028c6
-
SHA256
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd
-
SHA512
28de892b39cfb8e534c8bec5c2a8f277adb006499930fc6cf00251b5f157033d856dcb41dbc80375a61dc7ffe9eb109e1e00cbc42972b2202f8348daac7b6586
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4UcHZLxCqVUQhTuOLdG2Hb8e1mB1i:ooZOL+EP8UcHZLxCqVUQhTuOLd9Ec
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1275486097744597052/DtRIVGRXq9EbCOLuFG54p-sV2rFhTNQaPmROPZ12uQi4zP31iRoNPEVEdATCJBi9SiEL
Targets
-
-
Target
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd.exe
-
Size
227KB
-
MD5
57725f9d6fe867414481c9174b761df1
-
SHA1
498f57a097747aa80a83a2927a74d96c007028c6
-
SHA256
f29f169e410ccc847f78e8df47006a45025ba10f0d517629f80ad73995d614fd
-
SHA512
28de892b39cfb8e534c8bec5c2a8f277adb006499930fc6cf00251b5f157033d856dcb41dbc80375a61dc7ffe9eb109e1e00cbc42972b2202f8348daac7b6586
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4UcHZLxCqVUQhTuOLdG2Hb8e1mB1i:ooZOL+EP8UcHZLxCqVUQhTuOLd9Ec
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1