General

  • Target

    fd8810323361a1a2dce67cf6f972c670N

  • Size

    822KB

  • Sample

    240908-pj56msxhre

  • MD5

    fd8810323361a1a2dce67cf6f972c670

  • SHA1

    771b220ddb991aea4084ea7d4c6b7974513f58ad

  • SHA256

    f854e61c5fe94b9cf0f5074174e7008fcf73f4bb8610b04c4a69d465c07a87f2

  • SHA512

    b78d295401953b90f41ddcde26d34678a585818d7f0c1fb98c6995625afad737ce06cb346f086c78de502db671288f44218d901f23b772f2d3026cd571a27323

  • SSDEEP

    12288:uf8gbof4mhRT1sngcKrhQdEiI2wKcj8eFpXnXfpKUFqkj3VyVlq8nK2iRB:C8gbGr2urcEivzeF5Xekj3P2

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Targets

    • Target

      fd8810323361a1a2dce67cf6f972c670N

    • Size

      822KB

    • MD5

      fd8810323361a1a2dce67cf6f972c670

    • SHA1

      771b220ddb991aea4084ea7d4c6b7974513f58ad

    • SHA256

      f854e61c5fe94b9cf0f5074174e7008fcf73f4bb8610b04c4a69d465c07a87f2

    • SHA512

      b78d295401953b90f41ddcde26d34678a585818d7f0c1fb98c6995625afad737ce06cb346f086c78de502db671288f44218d901f23b772f2d3026cd571a27323

    • SSDEEP

      12288:uf8gbof4mhRT1sngcKrhQdEiI2wKcj8eFpXnXfpKUFqkj3VyVlq8nK2iRB:C8gbGr2urcEivzeF5Xekj3P2

    • 44Caliber

      An open source infostealer written in C#.

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks