General

  • Target

    Umbral.bat

  • Size

    468KB

  • Sample

    241012-kz7xysxdql

  • MD5

    50c1619dde4c59211f2220d19fd7a2ff

  • SHA1

    f89a90307b00ff0bd2733642ea43427bc304c730

  • SHA256

    b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d

  • SHA512

    ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627

  • SSDEEP

    12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1289565581565104128/6_mwv0w1S5A0l9XLPkwW6UmUZxdAw3mP7dh5lsWmFsgqgu5kJGEszt1-zAw_BajgNh6i

Targets

    • Target

      Umbral.bat

    • Size

      468KB

    • MD5

      50c1619dde4c59211f2220d19fd7a2ff

    • SHA1

      f89a90307b00ff0bd2733642ea43427bc304c730

    • SHA256

      b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d

    • SHA512

      ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627

    • SSDEEP

      12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks