General
-
Target
Umbral.exe
-
Size
232KB
-
Sample
240826-y1hw4svdqm
-
MD5
b19a46354270983374d8a6c2e1de3eff
-
SHA1
1e0c163fd3d63d26dd3f271a3e348b3d69140c7d
-
SHA256
8ff6ca14eac4b42391697608e3cf0c6fe433e58ac965bef66ec32888305464d9
-
SHA512
829a6b6c93c5f98ac8b2633608c6d05247e8b84b9eb188ffaf69a6339019fd92772730325de9ef378812693203abe19cff289b1feb7ca8149dcbeb857d307b6d
-
SSDEEP
6144:BloZM+rIkd8g+EtXHkv/iD4yF4W4+ZRS23q459cTub8e1mQvi:zoZtL+EP8yF4W4+ZRS23q459cmW
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1277722588512129034/-1CdGN8uT-DDAyfx2QemVACEk8llIl7nKhc_0Xo0gB1WQvmFz-N-lYYTHXY6dAJqNVot
Targets
-
-
Target
Umbral.exe
-
Size
232KB
-
MD5
b19a46354270983374d8a6c2e1de3eff
-
SHA1
1e0c163fd3d63d26dd3f271a3e348b3d69140c7d
-
SHA256
8ff6ca14eac4b42391697608e3cf0c6fe433e58ac965bef66ec32888305464d9
-
SHA512
829a6b6c93c5f98ac8b2633608c6d05247e8b84b9eb188ffaf69a6339019fd92772730325de9ef378812693203abe19cff289b1feb7ca8149dcbeb857d307b6d
-
SSDEEP
6144:BloZM+rIkd8g+EtXHkv/iD4yF4W4+ZRS23q459cTub8e1mQvi:zoZtL+EP8yF4W4+ZRS23q459cmW
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1