Overview

overview

10

Static

static

10

HTTP-RAND.js

windows10-2004-x64

3

HTTP-RAW.js

windows10-2004-x64

3

HTTP-SOCKET.js

windows10-2004-x64

3

Hulk.js

windows10-2004-x64

3

MINECRAFT-SLAM

windows10-2004-x64

1

OVERFLOW

windows10-2004-x64

1

cybersec m...ol.exe

windows10-2004-x64

10

destroy.pl

windows10-2004-x64

3

flux

windows10-2004-x64

1

god.pl

windows10-2004-x64

3

home.pl

windows10-2004-x64

3

http1.js

windows10-2004-x64

3

https-spoof.py

windows10-2004-x64

3

hyper.js

windows10-2004-x64

3

ldap

windows10-2004-x64

1

nfo-killer

windows10-2004-x64

1

ntp

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sybersec.rar

  • Size

    1.1MB

  • Sample

    241128-jy32ya1mdv

  • MD5

    0cf0c7b2beec7b554978a4a8c379c035

  • SHA1

    0c99d38801e2502da75cc33c0a758eb6f50953f4

  • SHA256

    b9dbdd3444445ce02cab79fc62117bf55a61eb921228150e11ed540cf1fcd4e0

  • SHA512

    9f6a14bcf23fbf62894565ea0ed2a4ba1f7a845497b35cb8a7a919fbf70d708328e17204db6062969ed4f202e654d78da2ed6c01f41e37fcf65eacd5e37c68a3

  • SSDEEP

    24576:PoQNfJ088tydtKfrxEV+WVMLa59IGCVtybjJQd:AQ9Jl8ty/KfukoMLi9Ivtgj6

Score
10/10
umbralbotnetdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1311602984152600606/wcG26MMfNLtmUgurpnrq9KfoooNMhJSn62Nzx43I0sekrublXlycBDl0or6UoMIG_Pti

Targets

    • Target

      HTTP-RAND.js

    • Size

      404KB

    • MD5

      9078dba168d9b12f07abb1201456b106

    • SHA1

      b2a2e1e154e09f4d2086cb6e122db0b76970f679

    • SHA256

      29b62306eabf117cb39cef354e03316cd24c07fc770b0f7195ca724dbbfb19e9

    • SHA512

      7893e049ac7db1310d9f80f239f20cf578f5a5502eee26a5f649ecf9112b1a7704043e8cb41e99d203dfeba16c04711a03d9f43315e673bcb2a1b7a6734f85b3

    • SSDEEP

      768:jSb7I/W8ecmVU65VxzVKsbdPemI8BNlTPrCjcG8ZSNmljNtCPbMETCLQcKy9eEMK:jSbvWbPZafSDqfNel5bAx

    Score
    3/10
    execution
    behavioral1

    • Target

      HTTP-RAW.js

    • Size

      283KB

    • MD5

      f2b9e1830bf047f60fb4ecc1248b887f

    • SHA1

      c8de2135f2064e7463f291f205d7cfec877f963c

    • SHA256

      9b2ccc5867b85cd2c4cc8e8a9282905b89e9a9347a501267d3bdf3f998951d5f

    • SHA512

      f0934f4147683f598b8d28854f156a99069dea8eca9b6d5297b9475f7be45e2e1df0a0161e47a5be1660ab80ec87746ed41f3860d9a1ebf5e7f5555d48208402

    • SSDEEP

      1536:EebK/Pxn2g4nFHRfnCkE8YMFMcBnA4mXZH4UcaoZHAxwJHAhjMAauWl4+e7bT9dn:ER0xJQhjjauB7lDkDUz5Lp

    Score
    3/10
    execution
    behavioral2

    • Target

      HTTP-SOCKET.js

    • Size

      282KB

    • MD5

      07ed7508578ceba7709e98b3dc71e337

    • SHA1

      89eb03aecb97996cb7da2ab3b986a78c2541cad0

    • SHA256

      b39f322576c5dabc37fea9c2f5c73e4477470e59041c1156114fd270b2a7f09f

    • SHA512

      01d79374c8b8a32b9bd50257a5e9916831f1cb8b0b90784951dd883489c86dbdc96a0bab467df8e298abac5ef7954951777265fa537f29be6630f350c24fbd46

    • SSDEEP

      1536:S+ameG1qVNP/EBGJ+Ubh2jStTMM5TSnGtfkfvYbckAkQUi2VmjnWqvRfz8BViU3V:ajCTpRRgf

    Score
    3/10
    execution
    behavioral3

    • Target

      Hulk.go

    • Size

      6KB

    • MD5

      45be1c44653e209df4ff8a1aa054d4b1

    • SHA1

      92c8d81df7a7440cb9924e8a750f1a00ab1ffd50

    • SHA256

      2bdb93afa4fa71f1bcefba414309444975035886b8a41398e75755b24166b7d4

    • SHA512

      5e2255f61b4ac27841eafd703935b2271ea9fa98266766b29caa9fc7637d8af71f74d51084a89046ff38c4983d1e8f79121816e969dd8d1df7ba6893bd113175

    • SSDEEP

      96:ZDzEqpZD3M20w5qWWrWnHHVuORET3vewxGLuald8+uPo6nTtRGD:aqpZD3M2f0tyn7avWual1uZ5RI

    Score
    3/10
    execution
    behavioral4

    • Target

      MINECRAFT-SLAM

    • Size

      22KB

    • MD5

      da9663b371382d56bc770962971522a7

    • SHA1

      cbb1cd1a204aabdc72b5ab4e2ecb09fab4878539

    • SHA256

      fb49535437cb055cc7df4e7666f1c448831858e948fba7c360269d1c3707a33e

    • SHA512

      edf826ed4a02fe419002663cc90eb202320984dbd7569013baf496469367d68dc09c5e6fcd4a749408d95cdbe0652f251587688fb712783cba72e0c21528b7e9

    • SSDEEP

      192:RnxzjwsWskaDanX6JENuZYhz0h+fcfLBjDe7mQo84wcxyQpDzNgkHJbOZYyfyKl2:BWskamFsqGhR9jgAwcJpyfyKlMRE5

    Score
    1/10
    behavioral5

    • Target

      OVERFLOW

    • Size

      2.4MB

    • MD5

      a42324136a2a88cd916cf3b7bb8dd816

    • SHA1

      78fee932dbe59b8167f671a9a622762fcf08be88

    • SHA256

      b56ceef3b75283daaa7c068a84844a588d97ea167035f9bf8573e38ef21dd8fd

    • SHA512

      72dd1f1424324fdca7f9ef23e9fa3b18b6e90103a898c442ca3e1577c3bd708d0c769c1617be9a2390e7e756e8fcfde86156e04d6e7ed2d753271db3414b2be1

    • SSDEEP

      49152:61zeH79Blf9KGmIYk4gJKgtLTxiU5rPPt:4wBt9KFIP4gbi8t

    Score
    1/10
    behavioral6

    • Target

      cybersec multitool.exe

    • Size

      631KB

    • MD5

      ceba758a677d70ead7359cec602a5dc0

    • SHA1

      83e7109b9d529f807847c4e3c9ec6605cf757b2b

    • SHA256

      0a79c67164df6d37a52e9857beee53f0ad4603a2cd29ead90adbc165fb8382f1

    • SHA512

      8f78ab86f4bfa517ec066c9993f96c1b7971f9ceacc5659ea312ae8e6df8c0ee4dae6f6fdb15c7387e1af77a6faee1d580907f1364d067f0abe697b40bd6c5c6

    • SSDEEP

      12288:hoZtL+EP8hWqaVjgULeyD1Ac5LvNiMdRC:fI8UqaVjgULeyD1Ac5LFiMdA

    Score
    10/10
    umbraldiscoveryexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7

    • Target

      destroy.pl

    • Size

      1KB

    • MD5

      ffe2a24bd137f2bca6cf79f43bd979da

    • SHA1

      020d0f9ac4782022ae0bf7c839af7cd94a0cab41

    • SHA256

      73c2811307c91d518be2dbb131ba8491f79c5e49c9179d0ebebb00ae0b804dbe

    • SHA512

      41292b2252c758365eead600f3c798c7fb792517c7121f61038960b3087bdee0b10f36c94cbbc26a62a51ed0595cd611355223e0171394bd779b55f862f2196f

    Score
    3/10
    behavioral8

    • Target

      flux

    • Size

      13KB

    • MD5

      74861d6ff1fb96f4d6af18f63acabbfa

    • SHA1

      4794dd5eeac703188a3500adf00633209d83fb2e

    • SHA256

      8acd2784fa9317fa52ceb8d1af1fa000216926737ba5a245cdee85c2307df6e4

    • SHA512

      2a50215510d800cfdd105483eabe67e70f2d23afc182ba227f8d2c5aacadc0d2bd3a71a77c9c3419e5904f9a7557e697e79bf868a7b6478515c418d43624d6c1

    • SSDEEP

      192:GRc9l5TFVSfXN1rfuJLBpzQvVeM/b+1DgES:SwPTF+XN1rfu5HQvVXa

    Score
    1/10
    behavioral9

    • Target

      god.pl

    • Size

      1KB

    • MD5

      6c9ba71b9c7ed4f2e6bce1859f8fc4b4

    • SHA1

      76e9c9218573ea0675a903c598170d467ccac33a

    • SHA256

      51e07e860642884b47e9f3d37a16c29fe8d0b5a4e58b0f1ac1b4e81d6f65a2e8

    • SHA512

      c4782759130dfb5881098fbf6d6b58b72e1ec5abe2a551c121f1ecad2df340c58a8f512f199fa0865c955e690b2626e66e969ca85d7305773df3cd74a9c04c79

    Score
    3/10
    behavioral10

    • Target

      home.pl

    • Size

      549B

    • MD5

      6cc1ede4ba43617bcfd11c48c2dd3bdf

    • SHA1

      5b958bc3250d5a3e856be1a618c3c7b57140359b

    • SHA256

      f502d8b3e8135f6833d59619a74b1d3b7522fc1f67cc624c3db85a566fac01cf

    • SHA512

      cd7c01bcf4b47d53abdd55bd816ca3a8f8c08bc4da8783f7b5a4ab6440c4b26b51844ab19074f09a0527c0fd82ee5bf8614f9cd9054d329e5034a847e408e2a3

    Score
    3/10
    behavioral11

    • Target

      http1.js

    • Size

      15KB

    • MD5

      8c9db619e3004fbf4f8a31baed291238

    • SHA1

      dc3030cc54f73bc79403c9da8fe7a34ea1347bd6

    • SHA256

      7e9862382807e3defd64d185b88538de1263943b8be584ce39980183803e6742

    • SHA512

      44642a7eef9d0df893790273a900fcc269df515ea5337490fb18f8647259fd417a888cce78e53c4cb21c4ed44a73025c186edb42f7f90a63e24da141ce0a0589

    • SSDEEP

      192:zSYg0jsTao4JJ2ygs9CmmRSMQygs9ZPmRSMQTgstCmmR49gstCUmR4F6:nngTazFgswRjgsCR6gsARqgsURh

    Score
    3/10
    execution
    behavioral12

    • Target

      https-spoof.py

    • Size

      2KB

    • MD5

      90d3d56920435d0ad3704ac8305599c2

    • SHA1

      21025d3145cdb16b906ef09d827f8862b565cccc

    • SHA256

      fed9cf477221e36460a3a528e863a76450c7b946f9cd9ef8ad9b323ba6ab515e

    • SHA512

      b11b2c19f80596f25120f64b06ef93cf11e06f2e5a2a91d411990ba9e72f5f4084e3e9e5d0f8d2eae3199001745ef5602f3ae4f1a35a1109bd6b227d68404914

    Score
    3/10
    behavioral13

    • Target

      hyper.js

    • Size

      17KB

    • MD5

      78de02c40b95774997646904e7002b59

    • SHA1

      0dde1c2e08641cfa3075d3f4f2a1a76b7a3e566c

    • SHA256

      3f04441f96cf4107948e780872de14b6c828efa737a5e441a489124153002dea

    • SHA512

      343c94d15203c205e887c8e28da0f25940be7c28dca6201b17e211fc64d51e235509506babc142293d96c39b019ac598418b01f9c141108f78fcf5e2d521ccba

    • SSDEEP

      192:LwcY5Vu1nQM6gTnBC5gYsoj31GjncrY5YiKp3MLZpNBRi0R5GAzx/QhVv:8pg61GjcrY506LZVRxunv

    Score
    3/10
    execution
    behavioral14

    • Target

      ldap

    • Size

      13KB

    • MD5

      f7ab17fd9ada103da1dd1feed2487ec5

    • SHA1

      d601aa115840a9724e002f9b6bcdaa3426410fec

    • SHA256

      8ee642b442f30f38d5ddfb13497a652d6be7e8e4500688a7aad79ef51cf28740

    • SHA512

      37bf19565331386062ff9b8df8c0e947dd0e4d5d15d27333f7dd51589d15917d699925895e1fd81b06faecb3b603e9ca67f40eea05b393c361c08abb7940778c

    • SSDEEP

      192:G/DHjF33l3a6paZsPn5mrFKfXtmgJ6mlOSe1SR:AzjF3VqvqeFgBl/

    Score
    1/10
    behavioral15

    • Target

      nfo-killer

    • Size

      30KB

    • MD5

      02acade11646847c25bf429c4a45756c

    • SHA1

      e8eda1a866b1b8dfc50f37b600b2773bd6a3985b

    • SHA256

      938d36088995efc47174dd87114ef307c9f04781f6caca4a025b1fa6eaac0c73

    • SHA512

      abdef70c6e4dd14e4f180e21303124599928eb74b31f47d9c5e2230b1652d0ba33b8d5940e0677e61c22033b2c8fa42779f0971182bbf474b85fe2115768e4bb

    • SSDEEP

      768:AFTaLRRn+oEnfXPH/3vnfXPH/3vqiaSKZ3PsrBm:GTqRR+gym

    Score
    1/10
    behavioral16

    • Target

      ntp

    • Size

      13KB

    • MD5

      4125a75efba7c6c42e3bc972a6484766

    • SHA1

      bf20936f7c53433e1722ee847ad0ab471d84811f

    • SHA256

      f4ed2ca29f04286d8ff63b051f5c0bdceffef086cca9349e55111ac8fb868628

    • SHA512

      1845f30227bd5d20d11ee4e0327d69e0fdedcb9aee5d7852aa451df5852fdce41c90998e83bcaaeaddd4d62f6e6dc6537253d0268b5b87335634d1cc38ee4777

    • SSDEEP

      192:GH4p2Fq0EwHYi5daO+OmtsnNiIrhIXMlOu0Tn+oS:oQ2FqaHBgFO/NiIrh3Oh

    Score
    1/10
    behavioral17

MITRE ATT&CK Enterprise v15

Tasks