General

  • Target

    392fcfb7445ce64079d2de971877520e.exe

  • Size

    3.4MB

  • Sample

    240824-srbhsawenf

  • MD5

    392fcfb7445ce64079d2de971877520e

  • SHA1

    68b4ab6a88385348fb1808286ac3586c15ef73ef

  • SHA256

    294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c

  • SHA512

    87ee7c6b2c6aa96779ab1c9c38e9ebb8f4c589681af31b164c261d84e86eac6e3e7b62beea1c37db912c2d49cbe28c28f1043f69d0b440328b52a482fc520f1c

  • SSDEEP

    98304:h/tCnHVGIBfSIJ7tCHkurtT2zFhuR83VYpBSUKn:JtCHVgG7EttEuR8WpBSUKn

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2

Targets

    • Target

      392fcfb7445ce64079d2de971877520e.exe

    • Size

      3.4MB

    • MD5

      392fcfb7445ce64079d2de971877520e

    • SHA1

      68b4ab6a88385348fb1808286ac3586c15ef73ef

    • SHA256

      294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c

    • SHA512

      87ee7c6b2c6aa96779ab1c9c38e9ebb8f4c589681af31b164c261d84e86eac6e3e7b62beea1c37db912c2d49cbe28c28f1043f69d0b440328b52a482fc520f1c

    • SSDEEP

      98304:h/tCnHVGIBfSIJ7tCHkurtT2zFhuR83VYpBSUKn:JtCHVgG7EttEuR8WpBSUKn

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Umbral payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks