General

  • Target

    nvngx_dlss.dll

  • Size

    5.8MB

  • Sample

    241029-b7ndvaznaj

  • MD5

    8de5c0e5b2257874f05b2dbca186dc6a

  • SHA1

    1e76d52f66d37e804a6c0b93e242fcf2a402705c

  • SHA256

    788cf3cb6aaba23ae7735a80b0ac34ea62ccdac8851b94ad0a185137c2b72297

  • SHA512

    75e5724ed2b28e1294a042a05c082346be5a1186f6a8547ba5b9ddd623c5a37872f36c637833133fa88d00e237fffaa619c35976bed558cd66f32b4c153026f5

  • SSDEEP

    98304:Es2V9unkmnmFZZb5U39X0VFCb5cFUH+MRKqzFRShhDzij5IZdaaaU4ksdW80t/5:E9unjnu/beiQMU15UhNej5IsUOdWD15

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1286314458028834867/yKG65rXAPQ0O6J-mHuUbeHui0J1VN6nIRNQYJzDQ9n4Jzx4zD57TzvNsJrOfWLaF3etV

Targets

    • Target

      nvngx_dlss.dll

    • Size

      5.8MB

    • MD5

      8de5c0e5b2257874f05b2dbca186dc6a

    • SHA1

      1e76d52f66d37e804a6c0b93e242fcf2a402705c

    • SHA256

      788cf3cb6aaba23ae7735a80b0ac34ea62ccdac8851b94ad0a185137c2b72297

    • SHA512

      75e5724ed2b28e1294a042a05c082346be5a1186f6a8547ba5b9ddd623c5a37872f36c637833133fa88d00e237fffaa619c35976bed558cd66f32b4c153026f5

    • SSDEEP

      98304:Es2V9unkmnmFZZb5U39X0VFCb5cFUH+MRKqzFRShhDzij5IZdaaaU4ksdW80t/5:E9unjnu/beiQMU15UhNej5IsUOdWD15

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks