General

  • Target

    ExtremeInjectorV3.exe

  • Size

    228KB

  • Sample

    240822-z91nysydlh

  • MD5

    92fe53ca6c8f1a424db45bb3f7cdfe56

  • SHA1

    a6d4e261875b162f18f2cbbcc6411cec7b59be37

  • SHA256

    bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7

  • SHA512

    c4ce50e070a07626fd766212428b15df7d4f4fe680acdc9b0ba084156aea4e4443dd76ddba8ff9d9551a5c00b53d784a716caa95df1a78d80a65dd1bca2c4a16

  • SSDEEP

    6144:OloZM+rIkd8g+EtXHkv/iD4QL6XYe5xy4XKYZd8PRb8e1mLpsi:YoZtL+EP8QL6XYe5xy4XKYZd8hil

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1272960886117498900/YDNHOw3Kos6nSkhyh1-x7wdT3ReBATEXF8kthHRm5wmUtVhzhv3W6IJn4x78vB7KKS5f

Targets

    • Target

      ExtremeInjectorV3.exe

    • Size

      228KB

    • MD5

      92fe53ca6c8f1a424db45bb3f7cdfe56

    • SHA1

      a6d4e261875b162f18f2cbbcc6411cec7b59be37

    • SHA256

      bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7

    • SHA512

      c4ce50e070a07626fd766212428b15df7d4f4fe680acdc9b0ba084156aea4e4443dd76ddba8ff9d9551a5c00b53d784a716caa95df1a78d80a65dd1bca2c4a16

    • SSDEEP

      6144:OloZM+rIkd8g+EtXHkv/iD4QL6XYe5xy4XKYZd8PRb8e1mLpsi:YoZtL+EP8QL6XYe5xy4XKYZd8hil

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.