Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Umbral.exe
-
Size
484KB
-
Sample
240829-skqdcszepk
-
MD5
76bdc0aa53bd46fd5eb4c4bbba89e865
-
SHA1
5b65000b2503e75e424d8360a40703fb2ff7aa2f
-
SHA256
1c400bc43d208e97292438c4ea59e8203c7fb0e78d44b4af7c2b5af3b71c4a4d
-
SHA512
cc5365a4ba91f3f0dde1177290cce6c538fb75b4dbee53dc74c9870c1c8a4937b44cc1565045497f1a94a6f5bdc127709246a28793c42574fab46b23d4f8f669
-
SSDEEP
12288:MoZrL+EP8njZwR/k4XVG/BcoNiZI8kYFNLQd2nLyNz67:SI8jZwR/k4XVG/BcoNi55MILyM7
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1278684969610252319/yBhsLJdMxB4CMKJHb-dAGghzSPAr0CHcCs4V4WXp7t2rrE6M1zTIuH-KHwgs32LoA0dm
Targets
-
-
Target
Umbral.exe
-
Size
484KB
-
MD5
76bdc0aa53bd46fd5eb4c4bbba89e865
-
SHA1
5b65000b2503e75e424d8360a40703fb2ff7aa2f
-
SHA256
1c400bc43d208e97292438c4ea59e8203c7fb0e78d44b4af7c2b5af3b71c4a4d
-
SHA512
cc5365a4ba91f3f0dde1177290cce6c538fb75b4dbee53dc74c9870c1c8a4937b44cc1565045497f1a94a6f5bdc127709246a28793c42574fab46b23d4f8f669
-
SSDEEP
12288:MoZrL+EP8njZwR/k4XVG/BcoNiZI8kYFNLQd2nLyNz67:SI8jZwR/k4XVG/BcoNi55MILyM7
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Resource Forking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1