Overview

overview

10

Static

static

10

Perm Spoof...er.exe

windows7-x64

1

Perm Spoof...er.exe

windows10-2004-x64

1

Perm Spoof...on.dll

windows7-x64

1

Perm Spoof...on.dll

windows10-2004-x64

1

Perm Spoof...ec.dll

windows7-x64

1

Perm Spoof...ec.dll

windows10-2004-x64

1

Perm Spoofer/bz2.dll

windows7-x64

1

Perm Spoofer/bz2.dll

windows10-2004-x64

1

Perm Spoof...ed.exe

windows7-x64

1

Perm Spoof...ed.exe

windows10-2004-x64

1

Perm Spoof...F2.bat

windows7-x64

1

Perm Spoof...F2.bat

windows10-2004-x64

5

Perm Spoof...ck.exe

windows7-x64

1

Perm Spoof...ck.exe

windows10-2004-x64

1

Perm Spoof...hk.sys

windows10-2004-x64

1

Perm Spoof...DF.bat

windows7-x64

1

Perm Spoof...DF.bat

windows10-2004-x64

1

Perm Spoof...64.dll

windows7-x64

1

Perm Spoof...64.dll

windows10-2004-x64

1

Perm Spoof...64.dll

windows7-x64

1

Perm Spoof...64.dll

windows10-2004-x64

1

Perm Spoof...64.dll

windows7-x64

1

Perm Spoof...64.dll

windows10-2004-x64

1

Perm Spoof...sk.bat

windows7-x64

1

Perm Spoof...sk.bat

windows10-2004-x64

6

Perm Spoof...ls.exe

windows7-x64

10

Perm Spoof...ls.exe

windows10-2004-x64

10

Perm Spoof...4e.sys

windows10-2004-x64

1

Perm Spoof...ac.bat

windows7-x64

3

Perm Spoof...ac.bat

windows10-2004-x64

1

Perm Spoof...ss.exe

windows7-x64

1

Perm Spoof...ss.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PermSpoofer.rar

  • Size

    6.6MB

  • Sample

    241113-zjswesyfmb

  • MD5

    97121a6787051462f7d5c87c89dabbb9

  • SHA1

    2642f892d1efe500c0745984d6b0542f823b39bc

  • SHA256

    b4b6f0ce548f5ec6207bf0f8350011f953ef5d4011ff288ef5e2e0376cc18ded

  • SHA512

    a28bb2a68d7c41f966634e23cac55833755de2b8ee60d505c775296b93b80d71c77ebbb7a3802997bcdbd0fbeb84bef795e9c775a87a6545e591abc1edafeeba

  • SSDEEP

    196608:yJG8vczhg0vXbvtYHmisBsRzQs+hDiQJsfOrwB:yHvczhRvBDsRzQsGbsOrwB

Score
10/10
umbraldiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1289681227711905882/4ls8QquqVGowr_EXsWQHgHYoYI53Bn36p04PP2sNUo6M6rTng5alXP6ABgXbGM7xSIBW

Targets

    • Target

      Perm Spoofer/Perm Spoofer.exe

    • Size

      2.4MB

    • MD5

      6d154933cb68c115a8c289e8ff8a6072

    • SHA1

      5a724bc8510a86b52d4303e537417e2317cc0286

    • SHA256

      459511219e3f82d6572fa398d3d67f5176bd91f2a9aa9f59e47070872751156e

    • SHA512

      6ee7896fb1beea2c02eb96e671b1027c1a5f61698a6a027814090f1054aad4765be09c68b37afbd40883f7ea5b09f1256ad91cf3b36076e017b76f3e9695ad14

    • SSDEEP

      24576:OKXQXDDJYjxsjehT2QotG/DchIVbQevFMlC/Whp72mZs+mnsz9CyWF4iK+6I/ChQ:OwQXDDJYV92QV/DH9tMY6sPXnwmn2j

    Score
    1/10
    behavioral1behavioral2

    • Target

      Perm Spoofer/brotlicommon.dll

    • Size

      134KB

    • MD5

      06b78499e47b2c93b613d555d613f766

    • SHA1

      617a65ac6b7e0a87532d321b3ccf6a1a6e03ae48

    • SHA256

      4bc96b5293deb2ec399f150b648d11582e50172409469e0bdcb1a2d7b4344841

    • SHA512

      dd7cdb5a385d102664c750ebc097057ddeaf554e5937f5eb66d444da68c792575ed678c1d1194566777bcf2a27062d656b3dcd0ac6daab95ba907a0cb5589ef4

    • SSDEEP

      3072:1Tk4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBZw:1Tk4AhdNorGvHdbi09GJLw

    Score
    1/10
    behavioral3behavioral4

    • Target

      Perm Spoofer/brotlidec.dll

    • Size

      49KB

    • MD5

      2eebbc5aeea0483bd23b37821df77021

    • SHA1

      c1c81fa0e3ceb62950a61f4c2364fa3f68ae9709

    • SHA256

      7d0deb00e9ef1fe068e357196d3398adcdf1b747df68bfaf043dde13be3be67b

    • SHA512

      3ee60b7abe8a61971226f30529711e0600ce024198aacffa8536ab594bd014d26b22e0b6c9ac1f7e0c2feb94a3584a101c1548d7691214be0d652898ce87b305

    • SSDEEP

      768:iRc1dGuGMH5uA7Y9QkEQ6DD2m29HvyZazQxARbYs30ZzY1:i6Hn5hM91EQ6vF29HKyGY

    Score
    1/10
    behavioral5behavioral6

    • Target

      Perm Spoofer/bz2.dll

    • Size

      74KB

    • MD5

      4a8df49dc6f85ecd100d9602a000fc55

    • SHA1

      46124bc99360d23df7d11efc66779ee410d6f0f8

    • SHA256

      8c22c5a5525a58cf5ee30bab6a9c67bf1911ca6c162fca0fb6234918983bdac0

    • SHA512

      547434a05a2ec5ce752f44f56dbb56bc6cf88d9ccc4b1c3532c6d3b7586f8c6a204f6ecf2cb6002f7f5489a05615c09b349155d4f990cf8933ddf3c1c824492f

    • SSDEEP

      1536:q1uS1dcv95FBSQhLHNUgViZ/273Dd96lrDUXuepE8Gr:KkhHNJ8p2r8rWuepXu

    Score
    1/10
    behavioral7behavioral8

    • Target

      Perm Spoofer/cracked.exe

    • Size

      2.3MB

    • MD5

      3299b332914a579ba3bcd7d9776b426a

    • SHA1

      285e12334cc6c26bd3c4a8a302e58f13024e9af3

    • SHA256

      cd9ec5070f7245c4e4fec6cbfd6dfc5f6765a85d74c7d47656b8b8cb60259a30

    • SHA512

      367e70c601d1aadc3b6e9a07ce56bc3b696b1370eac6fa5d82be59022232fe3928baca109748d36e58a5da28e6f0f429926b1796ab13786e506d70a73f5965d3

    • SSDEEP

      49152:hMnpaiT1QY2Dp1F0fa3+Gf3WenWtn2jE:hDixQx/4M

    Score
    1/10
    behavioral10behavioral9

    • Target

      Perm Spoofer/dumped files/ASUSPDF2.bat

    • Size

      1KB

    • MD5

      471cc43c13cb0d8919d28bb41eb5e23b

    • SHA1

      cfcf0ad3d6b529443e50fe8d74150ddf5548597c

    • SHA256

      42475a5efcf83ad7a824d3bebb7e66f21153209e7e8850d0d39164393a7bc608

    • SHA512

      243cf363d9556b4ce479cf5dfabf2e11bdeb4257b2c0db27032b4bd55295228cad16bd95189f9368cd409ab8fed7bbc8e9bc4194d71615c63ac04781ee41aa51

    Score
    5/10

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      Perm Spoofer/dumped files/AsDeviceCheck.exe

    • Size

      377KB

    • MD5

      bb47a42ad91a3ec8c1daa68ef714ced3

    • SHA1

      63b2402c1718343c2082e8890290cfe9405f049d

    • SHA256

      bdb8595e4b84f6187ca2c6def98bc94a434c20badeabc2d415e17b720dc94222

    • SHA512

      58f18d5e04a236fb49aa07b859e13464aa7c822809c177c051a8f3937f4227e3ca8586614c1983a528b7ca59324728685a879711d13a70bbf2398a4fa4294806

    • SSDEEP

      6144:u0lLNvLmP/LgoYG5HViOlHH7qKPUcky2FpwhPa24UW3Plqr9hU0Rgr:lzmP/Lgk5HViOlHH7qKPfky2FpwhyV3j

    Score
    1/10
    behavioral13behavioral14

    • Target

      Perm Spoofer/dumped files/AsDeviceChk.sys

    • Size

      36KB

    • MD5

      9accebd928a8926fecf317f53cd1c44e

    • SHA1

      d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4

    • SHA256

      811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2

    • SHA512

      2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e

    • SSDEEP

      768:cBOmh786zi+NqkO8Ouwn3uivOyiRZSFInq1os29zjTUD:cXi+NXwnecOyiaFInq1lCz+

    Score
    1/10
    behavioral15

    • Target

      Perm Spoofer/dumped files/AsusPDF.bat

    • Size

      105B

    • MD5

      2efd18c35acbc250a4acadae1e4c842c

    • SHA1

      5660ce7f4cf82ea2965d754abc091063035ddd6e

    • SHA256

      6e3bdbc7a5fbd8ec32f23d21b7c11ca701c7daab21504621b58d23129929ece5

    • SHA512

      cfeb970c55b02213138ec9d213100b516862523754b8bd09824e6b2fe0a271482484803a94728639ff514891fca8ca55b35d800bb88c8b316d0939651f930dc9

    Score
    1/10
    behavioral16behavioral17

    • Target

      Perm Spoofer/dumped files/afuefix64.efi

    • Size

      682KB

    • MD5

      e4a02ec6ca1aed032ff936bb4ec25501

    • SHA1

      7221a9f33d9c6936077fd99bd3f51bc5692ff3b2

    • SHA256

      d33045e0f9c9edec05f7c7d568539d6e66209f9896538bf626b00c0b039dcf0f

    • SHA512

      46128b837f708a9cb36dbe455e091981ee5637154d2a10dcd78f2da149b651db66ced8c44dc76f2647916d933606d41f7a2c11e7d16f92f63b50f83028f74ddf

    • SSDEEP

      12288:wv9l8ql6Gq9LcMzkE9QK6gF6eaKSBS5XjRw/F:Ml8ql6t9LcMzkE9Q7goegBIjRw/F

    Score
    1/10
    behavioral18behavioral19

    • Target

      Perm Spoofer/dumped files/amideefix64.efi

    • Size

      421KB

    • MD5

      f4a05af91088785685cb4e941aebfd52

    • SHA1

      cf3a129d60bd0fc7772706b44f3a4bd73825ebc9

    • SHA256

      a7635bda29cf344f0e9650c012a37f38eececfe1d199ac247d69ae4f34731be4

    • SHA512

      e61f182e540c4584d5db49cccc73283369519c3f9827522431306fb8d3e5c9c994901f494352b172720bf761833ddb966756c05e74d15a597a149f86bacda630

    • SSDEEP

      6144:k7fizs5ZPvWWDFLiebFhQahgu2Ogk2xOVLlEFsh:k7f3vjkuhg7OmxOV

    Score
    1/10
    behavioral20behavioral21

    • Target

      Perm Spoofer/dumped files/bootx64.efi

    • Size

      941KB

    • MD5

      4692305d884feeaac0c22cb2fb94aa72

    • SHA1

      ff64c8245e9d775d76f0b0ff26c8ec548ff07a00

    • SHA256

      38d461a6debcda499a0660d11d051a68cc32fe459d4f370f77123b809a9286d3

    • SHA512

      40e0a4521f3fe7698ef24a64eda1ac1ecef78afcb69f4a0fbcf24641db95d7faf110c6afcabb955bc4078acabb5d9ca8dc35ada57f1f125eb6300f9aee672a04

    • SSDEEP

      12288:3ZMUTrc8WmOKIPk6n0W4jH2qD/tFA3o+3cBKNz:3ZMUTSmePk6n0PjH2e/tFvUNz

    Score
    1/10
    behavioral22behavioral23

    • Target

      Perm Spoofer/dumped files/disk.bat

    • Size

      13KB

    • MD5

      0c345568b15f4163d3955388cfa615f4

    • SHA1

      069c7b499e8f68fb90d316d6114440ef762507d6

    • SHA256

      28dc4e8c24c16af0910f3542ec8ae12376e668e45ba310a7f25c87ab4bfb89e8

    • SHA512

      d4619bbb7bfeccf0bb3ea7259fec6a8324aadd544017ee0df0390339d112fd0ced6707d91fc5036faf2c4cbcc9326c4ba57befbbdf909c2306c109acdba6c543

    • SSDEEP

      192:dIo4yR9Y9A/r1/kMUnNLyCYSvGOqHQ28lh9YDpqWkSyt1ninmdKgZ:3xR9hjF/UnECROBClh9YDpDkSy3inlo

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral24behavioral25

    • Target

      Perm Spoofer/dumped files/fixserials.exe

    • Size

      229KB

    • MD5

      9252505656ab18c34d4ecff6a7f86263

    • SHA1

      dfa01cbe5c99fbf67a5063f99c67669382e43356

    • SHA256

      78da8433390c0aaf2e5f748ff266bacad23fe9d05b1834eabceeb6ad69859589

    • SHA512

      5e270de9982c3137c16e32fa4c88f9a414893c623fbcdd5cb2f3ff9bbf82eac82bb8d01100d60ea8633da875b36df39d657a9090e393d4fdf717575821bce8a5

    • SSDEEP

      6144:lloZMcrIkd8g+EtXHkv/iD4l6qZEKtFu9r20VJgU8b8e1mbDi:noZrL+EP8l6qZEKtFu9r20VJgZd

    Score
    10/10
    umbraldiscoveryexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral26behavioral27

    • Target

      Perm Spoofer/dumped files/iqvw64e.sys

    • Size

      3.2MB

    • MD5

      a67b478beb2166013bf4ae4de6527f6f

    • SHA1

      078ee9c300302b49f64d33b47f2cbc38575ea69c

    • SHA256

      efefd03984e131c6ab6f3a7ec6e47a0176f4bbc9ba59955c1fb81c0fb9735dc8

    • SHA512

      2a6bb7406f33a3fa935dbcbab2a8086f44d5046cd865c69ef8ff37bbc617871b56ffb0ecf2a8137e57b86a40e8c34fb43eaa9558ca4e52980595d369d00783e5

    • SSDEEP

      49152:192Aga0jmeUxVcw/8+Aa5qktTY82oIoTq+sNLAPLmrx7/F99CcpEnj1gpMLXH47L:Pga0jRCaCW6ndTqZoQjc5SpMIL

    Score
    1/10
    behavioral28

    • Target

      Perm Spoofer/dumped files/mac.bat

    • Size

      1KB

    • MD5

      707c798832f76eb383a0501b2773ec32

    • SHA1

      3ebd0413af9929109ea0eb0045a2d26a256e771f

    • SHA256

      940f3e68e62ad73c0668e854d821d88eacc8ea8fb8e130e42a34368ae9f5852e

    • SHA512

      13e92ef958cfcc5686a2886b4a011f2287ec261028db0c6816d738eb715490d69ca37f8232e7bb3bebd5d49ce65bf4b9f55ae12d4af056bf569e5a1dba2f3da9

    Score
    3/10
    persistenceprivilege_escalation
    behavioral29behavioral30

    • Target

      Perm Spoofer/dumped files/tpmbypass.exe

    • Size

      361KB

    • MD5

      e52dbee99540de26acb3609e292fd608

    • SHA1

      025a222472b6a93bdcdccf3d65b4f7048de4da82

    • SHA256

      d45bf64f19b01d5fcd4cfd4428c58ee8ce6ea5a2d62c66bde89c54cb4ea13336

    • SHA512

      a334d28a4453de90e86dd670f3ca48fceaf3045f6f74a5d171e7eb1c905498bcd10a8a2acfbd06177a99501f313376fadf82f2b563310f63081d873326b97f9e

    • SSDEEP

      3072:DTqOQE9youE4btOFqghJdvNC5t+rgWeQnkiXPRizVBJm5jNs2l0hL4:NQ2ut0YkgWJkDm5jNs2la8

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

3
T1120

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

umbral
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
5/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
6/10

behavioral26

umbraldiscoveryexecutionspywarestealer
Score
10/10

behavioral27

umbraldiscoveryexecutionspywarestealer
Score
10/10

behavioral28

Score
1/10

behavioral29

persistenceprivilege_escalation
Score
3/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10