umbral | be714037f784e78ea5e6698029d60d692be324de6530a02a8efd65c1a8a5fccc | Triage

Sharing

General

Target

xanyx-loader.exe
Size

349KB
Sample

240827-wlfgbstbrf
MD5

ed847ded3be4f10c7ac9e83d9d1d2e83
SHA1

e871c6bfb85998c26b1dac25f477c401af71b6da
SHA256

be714037f784e78ea5e6698029d60d692be324de6530a02a8efd65c1a8a5fccc
SHA512

a6a3640fed6a3f4241ab2d365ef8fa08af9a5c40f95031cc350a21fbcf1385354c3b8d128e91d0c5cc349856ea7b7ff17a01615da218de9f4b836bccd48fbbf6
SSDEEP

6144:BloZMrlaVXiOBt/dKh98QtB5bxM8KDXqBVa07nIrvTuuuhJ8eFJLVp6kpKte/aVK:zoZzyOB5QB5VM8KDXqBVa07nIrwJ76kb

Score

10^/10

umbral credential_access execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1277968811785457707/QMEDo085SOqrKDO33OA_H6n9bDNLlzAEH4AxLM7VchZIKI1isnDJLGpfI126Kl0lK_ic

Targets

- Target
  
  xanyx-loader.exe
- Size
  
  349KB
- MD5
  
  ed847ded3be4f10c7ac9e83d9d1d2e83
- SHA1
  
  e871c6bfb85998c26b1dac25f477c401af71b6da
- SHA256
  
  be714037f784e78ea5e6698029d60d692be324de6530a02a8efd65c1a8a5fccc
- SHA512
  
  a6a3640fed6a3f4241ab2d365ef8fa08af9a5c40f95031cc350a21fbcf1385354c3b8d128e91d0c5cc349856ea7b7ff17a01615da218de9f4b836bccd48fbbf6
- SSDEEP
  
  6144:BloZMrlaVXiOBt/dKh98QtB5bxM8KDXqBVa07nIrvTuuuhJ8eFJLVp6kpKte/aVK:zoZzyOB5QB5VM8KDXqBVa07nIrwJ76kb
Score

10^/10

umbral credential_access execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessexecutionspywarestealer