General
-
Target
Umbral (2).exe
-
Size
232KB
-
Sample
240908-e2f95ayard
-
MD5
0a1a80122976fd1b62cd01889535b700
-
SHA1
e14b2b77529495b62f54d4ca7828acba8e3e5788
-
SHA256
b176f79057adf0432e8cedb42d0d2ec44ac772da03a629bd97f4febf0cb7347d
-
SHA512
4e9ef98911a2131681e5acf23ca1d679455374f905eb54e05f70b48d7c59098f7a6048fc89f5afdcd4570d047341490a75ceed4fd9e787f7eb18167f214d63a9
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD42L57aMS1NmPzus9x4XNb8e1mVW3i:DoZtL+EP82L57aMS1NmPzus9x49G
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1281412306231627816/Vl8fqnQtA_kMBAcC7Fx8BOMTPo_RW0sS8NiyKNmGBz2sNT_ZS6Dtq2WkPVebYe8xVZVO
Targets
-
-
Target
Umbral (2).exe
-
Size
232KB
-
MD5
0a1a80122976fd1b62cd01889535b700
-
SHA1
e14b2b77529495b62f54d4ca7828acba8e3e5788
-
SHA256
b176f79057adf0432e8cedb42d0d2ec44ac772da03a629bd97f4febf0cb7347d
-
SHA512
4e9ef98911a2131681e5acf23ca1d679455374f905eb54e05f70b48d7c59098f7a6048fc89f5afdcd4570d047341490a75ceed4fd9e787f7eb18167f214d63a9
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD42L57aMS1NmPzus9x4XNb8e1mVW3i:DoZtL+EP82L57aMS1NmPzus9x49G
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1