General
-
Target
NursultanRealese.exe
-
Size
245KB
-
Sample
241128-1xmf8sxrbj
-
MD5
cd46141c0f7707d1b4be3187a4c922cd
-
SHA1
36ff990729059807dd86027fb11a5ba26609588c
-
SHA256
ec3e59d47b01bb3c53ec23cb06829a302e9c6385a7898460138249de6f0cd4b6
-
SHA512
61f82d754268476ece6e2b83e71494f32feecee37366542fbfa533a57c8aeb2b8f00ce4bcc30ca4730594eafe0ae8e0aca5660009f6d40a1b05895a4cb385c27
-
SSDEEP
6144:dloZM+rIkd8g+EtXHkv/iD4ZHPtxd58e1my+Jizq6:/oZtL+EP8R1xznhz
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G
Targets
-
-
Target
NursultanRealese.exe
-
Size
245KB
-
MD5
cd46141c0f7707d1b4be3187a4c922cd
-
SHA1
36ff990729059807dd86027fb11a5ba26609588c
-
SHA256
ec3e59d47b01bb3c53ec23cb06829a302e9c6385a7898460138249de6f0cd4b6
-
SHA512
61f82d754268476ece6e2b83e71494f32feecee37366542fbfa533a57c8aeb2b8f00ce4bcc30ca4730594eafe0ae8e0aca5660009f6d40a1b05895a4cb385c27
-
SSDEEP
6144:dloZM+rIkd8g+EtXHkv/iD4ZHPtxd58e1my+Jizq6:/oZtL+EP8R1xznhz
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1