General
-
Target
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e.exe
-
Size
229KB
-
Sample
240824-kxehmavanm
-
MD5
ea031754ac9fe28dbc0c5915cb638e44
-
SHA1
14b2c7b94aefdfc911e26fc5deb6eb8b6d7c0aed
-
SHA256
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e
-
SHA512
39a0790b3bae0862b1ba87bd6d1165694ba09cfa5104935e00ebaa13924699b2efba92ee6e744d3d820a9c05f80fa41fa1649498dce8f430835e8c6e813c25bb
-
SSDEEP
6144:9loZM9rIkd8g+EtXHkv/iD4RugVzZqStvY5rWWDFZb8e1m7i:foZOL+EP8RugVzZqStvY5rWWD3V
Behavioral task
behavioral1
Sample
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1276045605986107432/__jDxBNn4eIwDgfsF9Nvf_usMcbmRdQMO6KCi-9i1IoMGuWJto51uvjMtD8ys47YkqVM
Targets
-
-
Target
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e.exe
-
Size
229KB
-
MD5
ea031754ac9fe28dbc0c5915cb638e44
-
SHA1
14b2c7b94aefdfc911e26fc5deb6eb8b6d7c0aed
-
SHA256
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e
-
SHA512
39a0790b3bae0862b1ba87bd6d1165694ba09cfa5104935e00ebaa13924699b2efba92ee6e744d3d820a9c05f80fa41fa1649498dce8f430835e8c6e813c25bb
-
SSDEEP
6144:9loZM9rIkd8g+EtXHkv/iD4RugVzZqStvY5rWWDFZb8e1m7i:foZOL+EP8RugVzZqStvY5rWWD3V
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1