General
-
Target
880291d677d6775c4d808db72a161db0N
-
Size
229KB
-
Sample
240907-zzbxvavfnr
-
MD5
880291d677d6775c4d808db72a161db0
-
SHA1
5455b1a4cc2efeef61a63109a34c0730a759cae4
-
SHA256
07e766e52bb7e049cf15d5f7a5d7e5600760920a6fdf0817da956572267f6002
-
SHA512
9bb8a742960e14ebbc50e247cc96ce3cf721e45fe19afe98e1fa8820aad8c9af96291445c778d06c6916763c54b0f5e3e05d7187cceb1a96b8ff9fba9e3c927f
-
SSDEEP
6144:lloZM9rIkd8g+EtXHkv/iD4ruwiJX8Qf3+nJUg172b8e1mei:noZOL+EP8ruwiJX8Qf3+nJUg1uY
Behavioral task
behavioral1
Sample
880291d677d6775c4d808db72a161db0N.exe
Resource
win7-20240903-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1279889409478754448/WmAZRacrZJb0KdVBe7QUHg7xbzC0el3fkbHVemV4qy3cq_C566zvdmRjD6U9b_ZKtNtK
Targets
-
-
Target
880291d677d6775c4d808db72a161db0N
-
Size
229KB
-
MD5
880291d677d6775c4d808db72a161db0
-
SHA1
5455b1a4cc2efeef61a63109a34c0730a759cae4
-
SHA256
07e766e52bb7e049cf15d5f7a5d7e5600760920a6fdf0817da956572267f6002
-
SHA512
9bb8a742960e14ebbc50e247cc96ce3cf721e45fe19afe98e1fa8820aad8c9af96291445c778d06c6916763c54b0f5e3e05d7187cceb1a96b8ff9fba9e3c927f
-
SSDEEP
6144:lloZM9rIkd8g+EtXHkv/iD4ruwiJX8Qf3+nJUg172b8e1mei:noZOL+EP8ruwiJX8Qf3+nJUg1uY
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1