umbral | 683532c9ddccd09aac6480c255099963803eac956ea1d5597c772ff13a8a7a31 | Triage

Sharing

General

Target

BootstrapperV1.13.rar
Size

79KB
Sample

240906-tq1lyswfmc
MD5

88e52f784ad35aff3b37046d8fc152a5
SHA1

d86313ca8a39d844f767d0f70de4bb68b8e2bb04
SHA256

683532c9ddccd09aac6480c255099963803eac956ea1d5597c772ff13a8a7a31
SHA512

82b9aae88dd61416e011f29d092201b0609c0e5d25126343062b548240e585ad1dcd01cbc73fbe0056becf3b060716cb56d35bba1080c441eb01e4c0b173d1c3
SSDEEP

1536:mpcWhrJks7JCizXkmQQU6eGMgBBXv+RPk5xH9griGKmhBGXzs9Xau:qX7JCiLMBbyvY8CC40js9N

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1267765278348152842/-kPKB4JdOggRN8137Je53csdEwdD1XV1iw7mGKhIQuAM7kIz_LwCjyjE2Ekxy7ebgeJr

Targets

- Target
  
  BootstrapperV1.13.exe
- Size
  
  229KB
- MD5
  
  224b37147484176752b12af33b9efd96
- SHA1
  
  d2fbb87ff49e0e80e8585b449fac349688d02f23
- SHA256
  
  2133a2c5f4a04d8ffe1ea436d035917ad16c50fa011b021c95c71f2660e67033
- SHA512
  
  e374e69dad1b3ad39887163e6c8cd07a88e36b167b91b0eeb8a5296f7345ea4c97e6e8e009193b321524f5326118900933e4657b0177b702036525d42c508704
- SSDEEP
  
  6144:9loZM+rIkd8g+EtXHkv/iD4lePZsyVtG/TOMdRYz7b8e1m4i:foZtL+EP8lePZsyVtG/TOMdRYDu
Score

10^/10

umbral credential_access discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralcredential_accessdiscoveryexecutionspywarestealer

behavioral2

umbralcredential_accessdiscoveryexecutionspywarestealer