General

  • Target

    Umbral.exe

  • Size

    232KB

  • Sample

    240908-fe7n8szara

  • MD5

    0a1a80122976fd1b62cd01889535b700

  • SHA1

    e14b2b77529495b62f54d4ca7828acba8e3e5788

  • SHA256

    b176f79057adf0432e8cedb42d0d2ec44ac772da03a629bd97f4febf0cb7347d

  • SHA512

    4e9ef98911a2131681e5acf23ca1d679455374f905eb54e05f70b48d7c59098f7a6048fc89f5afdcd4570d047341490a75ceed4fd9e787f7eb18167f214d63a9

  • SSDEEP

    6144:xloZM+rIkd8g+EtXHkv/iD42L57aMS1NmPzus9x4XNb8e1mVW3i:DoZtL+EP82L57aMS1NmPzus9x49G

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1281412306231627816/Vl8fqnQtA_kMBAcC7Fx8BOMTPo_RW0sS8NiyKNmGBz2sNT_ZS6Dtq2WkPVebYe8xVZVO

Targets

    • Target

      Umbral.exe

    • Size

      232KB

    • MD5

      0a1a80122976fd1b62cd01889535b700

    • SHA1

      e14b2b77529495b62f54d4ca7828acba8e3e5788

    • SHA256

      b176f79057adf0432e8cedb42d0d2ec44ac772da03a629bd97f4febf0cb7347d

    • SHA512

      4e9ef98911a2131681e5acf23ca1d679455374f905eb54e05f70b48d7c59098f7a6048fc89f5afdcd4570d047341490a75ceed4fd9e787f7eb18167f214d63a9

    • SSDEEP

      6144:xloZM+rIkd8g+EtXHkv/iD42L57aMS1NmPzus9x4XNb8e1mVW3i:DoZtL+EP82L57aMS1NmPzus9x49G

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.