General

  • Target

    cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e.exe

  • Size

    229KB

  • Sample

    240824-kxehmavanm

  • MD5

    ea031754ac9fe28dbc0c5915cb638e44

  • SHA1

    14b2c7b94aefdfc911e26fc5deb6eb8b6d7c0aed

  • SHA256

    cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e

  • SHA512

    39a0790b3bae0862b1ba87bd6d1165694ba09cfa5104935e00ebaa13924699b2efba92ee6e744d3d820a9c05f80fa41fa1649498dce8f430835e8c6e813c25bb

  • SSDEEP

    6144:9loZM9rIkd8g+EtXHkv/iD4RugVzZqStvY5rWWDFZb8e1m7i:foZOL+EP8RugVzZqStvY5rWWD3V

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1276045605986107432/__jDxBNn4eIwDgfsF9Nvf_usMcbmRdQMO6KCi-9i1IoMGuWJto51uvjMtD8ys47YkqVM

Targets

    • Target

      cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e.exe

    • Size

      229KB

    • MD5

      ea031754ac9fe28dbc0c5915cb638e44

    • SHA1

      14b2c7b94aefdfc911e26fc5deb6eb8b6d7c0aed

    • SHA256

      cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e

    • SHA512

      39a0790b3bae0862b1ba87bd6d1165694ba09cfa5104935e00ebaa13924699b2efba92ee6e744d3d820a9c05f80fa41fa1649498dce8f430835e8c6e813c25bb

    • SSDEEP

      6144:9loZM9rIkd8g+EtXHkv/iD4RugVzZqStvY5rWWDFZb8e1m7i:foZOL+EP8RugVzZqStvY5rWWD3V

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks