General
-
Target
123.exe
-
Size
484KB
-
Sample
240829-sjvxfsxhqb
-
MD5
2aa4f648d160439b834046fc7eaf4db3
-
SHA1
7b0da6b64838ea63766e628893b8a08acff406f7
-
SHA256
b34cce587000413f4f48699964dbf1cfcbb2718f0c7749196e1caf154743702d
-
SHA512
d12de3fa54f2bfa81498c1301d957793095869d334d09dffe5be429e92bc2e064ad4a025da643164a25a499fa26ded267e08f847ce8c6b6b0a4242083d42e75e
-
SSDEEP
12288:soZrL+EP8e/WB1DA0rgSjVg8ZWVo8kYFNLQd2nLyNz67:yI8wWB1DA0rgSjVg8ZW95MILyM7
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1278684969610252319/yBhsLJdMxB4CMKJHb-dAGghzSPAr0CHcCs4V4WXp7t2rrE6M1zTIuH-KHwgs32LoA0dm
Targets
-
-
Target
123.exe
-
Size
484KB
-
MD5
2aa4f648d160439b834046fc7eaf4db3
-
SHA1
7b0da6b64838ea63766e628893b8a08acff406f7
-
SHA256
b34cce587000413f4f48699964dbf1cfcbb2718f0c7749196e1caf154743702d
-
SHA512
d12de3fa54f2bfa81498c1301d957793095869d334d09dffe5be429e92bc2e064ad4a025da643164a25a499fa26ded267e08f847ce8c6b6b0a4242083d42e75e
-
SSDEEP
12288:soZrL+EP8e/WB1DA0rgSjVg8ZWVo8kYFNLQd2nLyNz67:yI8wWB1DA0rgSjVg8ZW95MILyM7
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1