umbral | bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7 | Triage

Sharing

General

Target

bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7.exe
Size

228KB
Sample

240823-c5akms1ekd
MD5

92fe53ca6c8f1a424db45bb3f7cdfe56
SHA1

a6d4e261875b162f18f2cbbcc6411cec7b59be37
SHA256

bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7
SHA512

c4ce50e070a07626fd766212428b15df7d4f4fe680acdc9b0ba084156aea4e4443dd76ddba8ff9d9551a5c00b53d784a716caa95df1a78d80a65dd1bca2c4a16
SSDEEP

6144:OloZM+rIkd8g+EtXHkv/iD4QL6XYe5xy4XKYZd8PRb8e1mLpsi:YoZtL+EP8QL6XYe5xy4XKYZd8hil

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1272960886117498900/YDNHOw3Kos6nSkhyh1-x7wdT3ReBATEXF8kthHRm5wmUtVhzhv3W6IJn4x78vB7KKS5f

Targets

- Target
  
  bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7.exe
- Size
  
  228KB
- MD5
  
  92fe53ca6c8f1a424db45bb3f7cdfe56
- SHA1
  
  a6d4e261875b162f18f2cbbcc6411cec7b59be37
- SHA256
  
  bf1ddaef01c54156875f83d24de19811476ad618bf126460a764c0cb13bcf3b7
- SHA512
  
  c4ce50e070a07626fd766212428b15df7d4f4fe680acdc9b0ba084156aea4e4443dd76ddba8ff9d9551a5c00b53d784a716caa95df1a78d80a65dd1bca2c4a16
- SSDEEP
  
  6144:OloZM+rIkd8g+EtXHkv/iD4QL6XYe5xy4XKYZd8PRb8e1mLpsi:YoZtL+EP8QL6XYe5xy4XKYZd8hil
Score

10^/10

umbral credential_access discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessdiscoveryexecutionspywarestealer

behavioral2

umbralcredential_accessdiscoveryexecutionspywarestealer