General

  • Target

    Umbral.exe

  • Size

    232KB

  • Sample

    240909-h2jl2awgrr

  • MD5

    9f44ee04168dfa82d6cf3e2d618bc7c5

  • SHA1

    baed535b08c9b48ca13d6a63c0f2a3f5ba144746

  • SHA256

    bb4f17ec844fb9f40753d03c1a1ac29f239b7821295cef98180091b5de173f05

  • SHA512

    41d9bd4c0d6d968dbde2e037798a054c92539be7b4e9fa7eee638ea6a7e1eb7ffb76ad49dd8307139d302ad39104efadf438e2d45936abda944585a69e879bd7

  • SSDEEP

    6144:BloZM+rIkd8g+EtXHkv/iD4Z1LCv8e1mpkni:zoZtL+EP8ZiVi

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1282599058384490550/kpCZj65-Cw0t04pQ38GT4ov30gz20YGKM49DS7o_zNel4XJUYzhXoih9IOmtmiSfx-CA

Targets

    • Target

      Umbral.exe

    • Size

      232KB

    • MD5

      9f44ee04168dfa82d6cf3e2d618bc7c5

    • SHA1

      baed535b08c9b48ca13d6a63c0f2a3f5ba144746

    • SHA256

      bb4f17ec844fb9f40753d03c1a1ac29f239b7821295cef98180091b5de173f05

    • SHA512

      41d9bd4c0d6d968dbde2e037798a054c92539be7b4e9fa7eee638ea6a7e1eb7ffb76ad49dd8307139d302ad39104efadf438e2d45936abda944585a69e879bd7

    • SSDEEP

      6144:BloZM+rIkd8g+EtXHkv/iD4Z1LCv8e1mpkni:zoZtL+EP8ZiVi

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks