General
-
Target
9665f625dacc3edc5a75c34d464359e0N
-
Size
231KB
-
Sample
240911-w4n67awapj
-
MD5
9665f625dacc3edc5a75c34d464359e0
-
SHA1
166a91b93c7a8de708ee4eebea7706085996c3f7
-
SHA256
e358e74aa9503094559d9c580d2c535c1e8f4ae202ba2afa0a4bc1c97509eb7d
-
SHA512
00698c46aa028ff1ce576684f9846391cdd9ea15e19ec724b3ffc6ffdf7c9d622e6d48d7c5dedfffa885c69f36023d8b95607c4ff3eca5b575f3940504b8c5e4
-
SSDEEP
6144:xloZMmrIkd8g+EtXHkv/iD4iAFMW0b3cnNImHHmxtb8e1m3Nri:DoZ1L+EP8iAFMW0b3cnNImHHm7n
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1281300759257813084/TAtw9va6em7-ZqM6ACI6dzMxdFXgkd__1WPgtjIMD52XeMq5ufX0eo_Tb-lncTS3lDWo
Targets
-
-
Target
9665f625dacc3edc5a75c34d464359e0N
-
Size
231KB
-
MD5
9665f625dacc3edc5a75c34d464359e0
-
SHA1
166a91b93c7a8de708ee4eebea7706085996c3f7
-
SHA256
e358e74aa9503094559d9c580d2c535c1e8f4ae202ba2afa0a4bc1c97509eb7d
-
SHA512
00698c46aa028ff1ce576684f9846391cdd9ea15e19ec724b3ffc6ffdf7c9d622e6d48d7c5dedfffa885c69f36023d8b95607c4ff3eca5b575f3940504b8c5e4
-
SSDEEP
6144:xloZMmrIkd8g+EtXHkv/iD4iAFMW0b3cnNImHHmxtb8e1m3Nri:DoZ1L+EP8iAFMW0b3cnNImHHm7n
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-