General

  • Target

    Emerald X.zip

  • Size

    2.9MB

  • Sample

    240917-a47gwaycpm

  • MD5

    6d5e6bb315019834ad58da276fb2b4ee

  • SHA1

    c3dfebcf3caf961c745a070c58a78dd5c30bd368

  • SHA256

    6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed

  • SHA512

    6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213

  • SSDEEP

    49152:Gf+JRr8UFdx5nmGAlo1S6OxurnJtB1Xgaon+3BzWVoZ0AEk:G2bdx5nmc7OcnJhXge3BzWiZ0Ab

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1282641542556811284/XhP2lBGmy2WSxK1y0l23RHuQqEin2SHIJODdzqGhEFoaXh5jRVDNcIXTEi8GEfBNxtlo

Targets

    • Target

      Emerald X/Emerald.exe

    • Size

      229KB

    • MD5

      f50a9b0c2670af5b0e3371ecdcebed27

    • SHA1

      e114834c05d2e86db3c3d45ccbd46a7c32950167

    • SHA256

      abbf1cd65c8d762019873c47b45e374d0c75cb28ddf754a8ddb35501f3cb63b2

    • SHA512

      21784568e5f27bbd0235fb37d7a7381055da13f27c00b6399bbb09b286bc58a965f00bb925950855392aad57678d34ccd0de4d13b10f9ae7503bc192143a90c6

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD4eudRU69VecbGkFZwEPb8e1moi:noZtL+EP8eudRU69VecbGkFZwWq

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Emerald X/Injector.exe

    • Size

      5.5MB

    • MD5

      072bd8b0166f4e8c134fddd1a91b16c6

    • SHA1

      da0e078b22b6739eb2ae67ef3dd7ac7ee841f96c

    • SHA256

      f84e39b3be2ba74691b82dab25a4d42d13535f138d9c69ffe37d45d90612a34f

    • SHA512

      5ff3173c47a7718c41076507a5c3d8e83021928dead3c82ce6e46b4609afa6ffa4af7cd4af1b779805c00ccd5b9ee5a59144c0507bb17db8fad77b0e144ee828

    • SSDEEP

      49152:uACTPFe76hHoYwVbV+huHplzrvTAm+DGjV1ykc+nPsbn3+nM6Pzs0dn3dnndn+dF:WwHpoe6

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks