General
-
Target
Emerald X.zip
-
Size
2.9MB
-
Sample
240917-a47gwaycpm
-
MD5
6d5e6bb315019834ad58da276fb2b4ee
-
SHA1
c3dfebcf3caf961c745a070c58a78dd5c30bd368
-
SHA256
6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed
-
SHA512
6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213
-
SSDEEP
49152:Gf+JRr8UFdx5nmGAlo1S6OxurnJtB1Xgaon+3BzWVoZ0AEk:G2bdx5nmc7OcnJhXge3BzWiZ0Ab
Behavioral task
behavioral1
Sample
Emerald X/Emerald.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Emerald X/Emerald.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Emerald X/Injector.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Emerald X/Injector.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1282641542556811284/XhP2lBGmy2WSxK1y0l23RHuQqEin2SHIJODdzqGhEFoaXh5jRVDNcIXTEi8GEfBNxtlo
Targets
-
-
Target
Emerald X/Emerald.exe
-
Size
229KB
-
MD5
f50a9b0c2670af5b0e3371ecdcebed27
-
SHA1
e114834c05d2e86db3c3d45ccbd46a7c32950167
-
SHA256
abbf1cd65c8d762019873c47b45e374d0c75cb28ddf754a8ddb35501f3cb63b2
-
SHA512
21784568e5f27bbd0235fb37d7a7381055da13f27c00b6399bbb09b286bc58a965f00bb925950855392aad57678d34ccd0de4d13b10f9ae7503bc192143a90c6
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4eudRU69VecbGkFZwEPb8e1moi:noZtL+EP8eudRU69VecbGkFZwWq
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Emerald X/Injector.exe
-
Size
5.5MB
-
MD5
072bd8b0166f4e8c134fddd1a91b16c6
-
SHA1
da0e078b22b6739eb2ae67ef3dd7ac7ee841f96c
-
SHA256
f84e39b3be2ba74691b82dab25a4d42d13535f138d9c69ffe37d45d90612a34f
-
SHA512
5ff3173c47a7718c41076507a5c3d8e83021928dead3c82ce6e46b4609afa6ffa4af7cd4af1b779805c00ccd5b9ee5a59144c0507bb17db8fad77b0e144ee828
-
SSDEEP
49152:uACTPFe76hHoYwVbV+huHplzrvTAm+DGjV1ykc+nPsbn3+nM6Pzs0dn3dnndn+dF:WwHpoe6
Score1/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1