General
-
Target
test.exe
-
Size
227KB
-
Sample
241017-zpt1nswbpa
-
MD5
7132f3f19b959294d470c06af357e192
-
SHA1
feb85b0836d9a52af2648174e4f53268ca20a309
-
SHA256
aa59ece71acd81ec09202b22af8e1a9d5664412d9bc99c9aa8ea1522467cc128
-
SHA512
b2dc88639c96e83a7138c361f43b52bdd62aa17af347fe46b1c007752c6c3e745e3188c6d8e89e4fcf68a506135eb94e9afa190a9b06acbd6304cc3d37ef2491
-
SSDEEP
6144:eloZM9rIkd8g+EtXHkv/iD40tVZQWRJ66vSgR1EsUcb8e1myi:IoZOL+EP80tVZQWRJ66vSgR1Eu8
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1296560289818480691/ulnfTZvQzO_rSsv2ax9-ULnnINXCyJz88OOjVQXiZ_dqa5trdVDnncFvpjubS3i_jPrx
Targets
-
-
Target
test.exe
-
Size
227KB
-
MD5
7132f3f19b959294d470c06af357e192
-
SHA1
feb85b0836d9a52af2648174e4f53268ca20a309
-
SHA256
aa59ece71acd81ec09202b22af8e1a9d5664412d9bc99c9aa8ea1522467cc128
-
SHA512
b2dc88639c96e83a7138c361f43b52bdd62aa17af347fe46b1c007752c6c3e745e3188c6d8e89e4fcf68a506135eb94e9afa190a9b06acbd6304cc3d37ef2491
-
SSDEEP
6144:eloZM9rIkd8g+EtXHkv/iD40tVZQWRJ66vSgR1EsUcb8e1myi:IoZOL+EP80tVZQWRJ66vSgR1Eu8
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1