General
-
Target
fd8810323361a1a2dce67cf6f972c670N
-
Size
822KB
-
Sample
240908-pj56msxhre
-
MD5
fd8810323361a1a2dce67cf6f972c670
-
SHA1
771b220ddb991aea4084ea7d4c6b7974513f58ad
-
SHA256
f854e61c5fe94b9cf0f5074174e7008fcf73f4bb8610b04c4a69d465c07a87f2
-
SHA512
b78d295401953b90f41ddcde26d34678a585818d7f0c1fb98c6995625afad737ce06cb346f086c78de502db671288f44218d901f23b772f2d3026cd571a27323
-
SSDEEP
12288:uf8gbof4mhRT1sngcKrhQdEiI2wKcj8eFpXnXfpKUFqkj3VyVlq8nK2iRB:C8gbGr2urcEivzeF5Xekj3P2
Static task
static1
Behavioral task
behavioral1
Sample
fd8810323361a1a2dce67cf6f972c670N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fd8810323361a1a2dce67cf6f972c670N.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9
Extracted
44caliber
https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9
Targets
-
-
Target
fd8810323361a1a2dce67cf6f972c670N
-
Size
822KB
-
MD5
fd8810323361a1a2dce67cf6f972c670
-
SHA1
771b220ddb991aea4084ea7d4c6b7974513f58ad
-
SHA256
f854e61c5fe94b9cf0f5074174e7008fcf73f4bb8610b04c4a69d465c07a87f2
-
SHA512
b78d295401953b90f41ddcde26d34678a585818d7f0c1fb98c6995625afad737ce06cb346f086c78de502db671288f44218d901f23b772f2d3026cd571a27323
-
SSDEEP
12288:uf8gbof4mhRT1sngcKrhQdEiI2wKcj8eFpXnXfpKUFqkj3VyVlq8nK2iRB:C8gbGr2urcEivzeF5Xekj3P2
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2