General

  • Target

    test.exe

  • Size

    227KB

  • Sample

    241017-zc26hsxhmk

  • MD5

    7132f3f19b959294d470c06af357e192

  • SHA1

    feb85b0836d9a52af2648174e4f53268ca20a309

  • SHA256

    aa59ece71acd81ec09202b22af8e1a9d5664412d9bc99c9aa8ea1522467cc128

  • SHA512

    b2dc88639c96e83a7138c361f43b52bdd62aa17af347fe46b1c007752c6c3e745e3188c6d8e89e4fcf68a506135eb94e9afa190a9b06acbd6304cc3d37ef2491

  • SSDEEP

    6144:eloZM9rIkd8g+EtXHkv/iD40tVZQWRJ66vSgR1EsUcb8e1myi:IoZOL+EP80tVZQWRJ66vSgR1Eu8

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1296560289818480691/ulnfTZvQzO_rSsv2ax9-ULnnINXCyJz88OOjVQXiZ_dqa5trdVDnncFvpjubS3i_jPrx

Targets

    • Target

      test.exe

    • Size

      227KB

    • MD5

      7132f3f19b959294d470c06af357e192

    • SHA1

      feb85b0836d9a52af2648174e4f53268ca20a309

    • SHA256

      aa59ece71acd81ec09202b22af8e1a9d5664412d9bc99c9aa8ea1522467cc128

    • SHA512

      b2dc88639c96e83a7138c361f43b52bdd62aa17af347fe46b1c007752c6c3e745e3188c6d8e89e4fcf68a506135eb94e9afa190a9b06acbd6304cc3d37ef2491

    • SSDEEP

      6144:eloZM9rIkd8g+EtXHkv/iD40tVZQWRJ66vSgR1EsUcb8e1myi:IoZOL+EP80tVZQWRJ66vSgR1Eu8

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks