umbral

Sharing

Copy URL

Twitter E-mail

General

Target

NetflixChecker.rar
Size

18.0MB
Sample

241128-g2e36svkgn
MD5

870345e874450b018c16035ecdd2d98d
SHA1

4923efc4bdf882d26c47498cbba6956bacfe73bc
SHA256

8c489447851c7499b4ed710559c74ec6c61978ee5c2d9303d353fd8d50dad035
SHA512

4d28ec528a60f416cc288cc6fc259029f68c2c088e6522b0c7ceb703954556409b3b1febe913c6336230199f374588b3ae9878dd272fbd94d77b9a0297203125
SSDEEP

393216:iA44y+l919iuz9EWRGrK7YUvFhXlKdV4oImsKuTX+QinQNUP4:0xCMQ9EjUdh4zxvVuTX+QFC4

Score

10^/10

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1311076635377664100/Sd5KeNZASyDMdGMxVc-eozZlY1pWCcLmuuBn9jPZLNBn1hhDwHX0pimlF0gYZfNv2Fir

Targets

- Target
  
  Netflix Checker/Data/Jint.dll
- Size
  
  244KB
- MD5
  
  734c5ce8f9b104d8ad3c7b494e96f9b9
- SHA1
  
  184cd4152b1b65d9531867b06c2e1c215fb872f1
- SHA256
  
  ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c
- SHA512
  
  1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6
- SSDEEP
  
  3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L
Score

1^/10
behavioral1 behavioral2
- Target
  
  Netflix Checker/Data/Leaf.xNet.dll
- Size
  
  142KB
- MD5
  
  2c607159e31c1e091697e74efa5cfebe
- SHA1
  
  874d28447e5c1d7583f413db85049bf17de830b5
- SHA256
  
  056900c587b7e574ccd154a83fe299bada653347c3862076b0ef6035039c0bec
- SHA512
  
  bfe7b463db8f0ef5981b4cdf22d2815ec10a941fb7cdeff4a861626f1fa9a29f913c5e971b257a5d206965e1300328b7530c40692889d9065ab95d63a63fe55c
- SSDEEP
  
  3072:iKpUZ/x+t38Q4I2T4EFWX66sU9/dfYJd:vUZ/x+tMnI2T4/XN
Score

1^/10
behavioral3 behavioral4
- Target
  
  Netflix Checker/Data/Modules/Jint.dll
- Size
  
  244KB
- MD5
  
  734c5ce8f9b104d8ad3c7b494e96f9b9
- SHA1
  
  184cd4152b1b65d9531867b06c2e1c215fb872f1
- SHA256
  
  ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c
- SHA512
  
  1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6
- SSDEEP
  
  3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L
Score

1^/10
behavioral5 behavioral6
- Target
  
  Netflix Checker/Data/Modules/Leaf.xNet.dll
- Size
  
  142KB
- MD5
  
  2c607159e31c1e091697e74efa5cfebe
- SHA1
  
  874d28447e5c1d7583f413db85049bf17de830b5
- SHA256
  
  056900c587b7e574ccd154a83fe299bada653347c3862076b0ef6035039c0bec
- SHA512
  
  bfe7b463db8f0ef5981b4cdf22d2815ec10a941fb7cdeff4a861626f1fa9a29f913c5e971b257a5d206965e1300328b7530c40692889d9065ab95d63a63fe55c
- SSDEEP
  
  3072:iKpUZ/x+t38Q4I2T4EFWX66sU9/dfYJd:vUZ/x+tMnI2T4/XN
Score

1^/10
behavioral7 behavioral8
- Target
  
  Netflix Checker/Data/Modules/Netflix.exe
- Size
  
  17.8MB
- MD5
  
  359dbcc119c43ec54316fb2457521626
- SHA1
  
  5b4ccdad2a90f69a4f0c1a0c99e49ea439a182f9
- SHA256
  
  cce009a8f7638628a06b5ab92ec7de3c7c397ef56e6f90e9217116f6c3bbbd47
- SHA512
  
  cca7840788e4a8b3dd911bd101e99e188e293e501272ebe3fcd05c06f0370f014ac590d742fa15afa5dd2bd7e4840b0d33812feeb00ede21ff5f50b633be0ed3
- SSDEEP
  
  393216:1CXMCHWUjccuINZfVQEH4/EuJDzWShYqkHjXWPqIau9/PVuQ0Xa:1CXMb8JzHKXJDiSSjXuqo9/9aa
Score

7^/10
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9
- Target
  
  Netflix Checker/Data/Modules/Netflix1.exe
- Size
  
  231KB
- MD5
  
  4d4914b127f4375b0c4ad1dd5dd99ff8
- SHA1
  
  153db21998c76d76c1f5d5f52f1f8f55b8f0b3ea
- SHA256
  
  f5ac145bb4853a5801cd13fb2f447384bd83f15b78494c025b4114386c2bf14d
- SHA512
  
  99a3860b040099077ad633bacc8115402ef36a737d2fa1c524b20b67651f0a5a0d4cb84f9cb3a35795196a1a78d3801b10f43abefe4810718e7077304e31cc42
- SSDEEP
  
  6144:xloZM+rIkd8g+EtXHkv/iD4nwkVpkqNlOjLWU1pANgI8e1mKhi:DoZtL+EP8nwkVpkqNlOjLWU1pAfA
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  Netflix Checker/Data/Modules/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  715a1fbee4665e99e859eda667fe8034
- SHA1
  
  e13c6e4210043c4976dcdc447ea2b32854f70cc6
- SHA256
  
  c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
- SHA512
  
  bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
- SSDEEP
  
  12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
Score

1^/10
behavioral13 behavioral14
- Target
  
  Netflix Checker/Data/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  715a1fbee4665e99e859eda667fe8034
- SHA1
  
  e13c6e4210043c4976dcdc447ea2b32854f70cc6
- SHA256
  
  c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
- SHA512
  
  bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
- SSDEEP
  
  12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
Score

1^/10
behavioral15 behavioral16
- Target
  
  Netflix Checker/Start Checker.bat
- Size
  
  63B
- MD5
  
  2b82a3b6410ab67ea4626cecc7738f85
- SHA1
  
  a08e383f0425af31b60297f640826cad1c1dbb54
- SHA256
  
  78af9d7b81f8de001f209e072a9184b350d0621392cfabb4ef9395d854bac82c
- SHA512
  
  35c9d284d0d4185491700f7a84a7c6d1efd7454df9e04d2dd3664329243a4e837aa6abbb4dde5c5b71fef89b9d103923e88fa39b4c6aacf7fafd0043f75b2fd5
Score

10^/10

umbral discovery execution stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

Looks up external IP address via web service

Detect Umbral payload

Umbral family

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Deletes itself

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detect Umbral payload

Umbral

Umbral family

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18