General
-
Target
BESTDISCORDIPPULLERMAMBAPULLER
-
Size
230KB
-
Sample
241129-qww9yayjbw
-
MD5
b23d20593d9176d95302568243f60052
-
SHA1
fef1aa01b7a41a8255d71309c7c5badf48a7a907
-
SHA256
9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9
-
SHA512
13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz
Behavioral task
behavioral1
Sample
BESTDISCORDIPPULLERMAMBAPULLER.exe
Resource
win7-20241010-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1302116602875084831/RE8pHwBeqQmHy6u-JA3iB9wwWRonk7COiIOdHg2mG5gZayOKih7L2v3Q-Z8wvo8zCH11
Targets
-
-
Target
BESTDISCORDIPPULLERMAMBAPULLER
-
Size
230KB
-
MD5
b23d20593d9176d95302568243f60052
-
SHA1
fef1aa01b7a41a8255d71309c7c5badf48a7a907
-
SHA256
9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9
-
SHA512
13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz
-
Detect Umbral payload
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1