General

  • Target

    BESTDISCORDIPPULLERMAMBAPULLER

  • Size

    230KB

  • Sample

    241129-qww9yayjbw

  • MD5

    b23d20593d9176d95302568243f60052

  • SHA1

    fef1aa01b7a41a8255d71309c7c5badf48a7a907

  • SHA256

    9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9

  • SHA512

    13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1302116602875084831/RE8pHwBeqQmHy6u-JA3iB9wwWRonk7COiIOdHg2mG5gZayOKih7L2v3Q-Z8wvo8zCH11

Targets

    • Target

      BESTDISCORDIPPULLERMAMBAPULLER

    • Size

      230KB

    • MD5

      b23d20593d9176d95302568243f60052

    • SHA1

      fef1aa01b7a41a8255d71309c7c5badf48a7a907

    • SHA256

      9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9

    • SHA512

      13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks