General

  • Target

    74e445436b010306f116973c93656630N.exe

  • Size

    170KB

  • Sample

    240906-gmgcpazcjr

  • MD5

    74e445436b010306f116973c93656630

  • SHA1

    b1176522355a5863f5c7d7d3ca9db3889bbc485b

  • SHA256

    dceb4a5e6cd2b0d37758cff6b217c69472d6bc6844617817fe22fbf86b7b7135

  • SHA512

    8a331a232b877e329110bb264efe79baaa1189316ac1cabefd12f82f249cf7c8415aec6e1df300e132ba8b6bcc9265e6b1b39847e3baea1d0f1e7e698ad2e367

  • SSDEEP

    3072:hVK2s3mxhbEmdMfQw/eJPGN0wxdFk7G1xB3O/Ga/32hK505EyWEBuedcH5e0K:hVE3m7bh+/eJPGVx0MxB3O/Ga/cQ05vh

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2

Targets

    • Target

      74e445436b010306f116973c93656630N.exe

    • Size

      170KB

    • MD5

      74e445436b010306f116973c93656630

    • SHA1

      b1176522355a5863f5c7d7d3ca9db3889bbc485b

    • SHA256

      dceb4a5e6cd2b0d37758cff6b217c69472d6bc6844617817fe22fbf86b7b7135

    • SHA512

      8a331a232b877e329110bb264efe79baaa1189316ac1cabefd12f82f249cf7c8415aec6e1df300e132ba8b6bcc9265e6b1b39847e3baea1d0f1e7e698ad2e367

    • SSDEEP

      3072:hVK2s3mxhbEmdMfQw/eJPGN0wxdFk7G1xB3O/Ga/32hK505EyWEBuedcH5e0K:hVE3m7bh+/eJPGVx0MxB3O/Ga/cQ05vh

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks