umbral | c6298c23ea6aa8c78e17a6def30b855884bb0ea5ef9e6623f41c1519c7b1af94 | Triage

Sharing

General

Target

Netflix Checker.rar
Size

25.7MB
Sample

241130-q6qvxazlfr
MD5

9895ddee8530a319cab875c01c0cd4bb
SHA1

a1d7e2513eadff4bf9e058c20d76096f39119f5e
SHA256

c6298c23ea6aa8c78e17a6def30b855884bb0ea5ef9e6623f41c1519c7b1af94
SHA512

0846d5bb56974d1df235a78a3b2d485a1b46cd1130b8bc73427c744be3b6f8e4b85ae3ab67130798bfbed2f885ef25e373f65df88768180cdb4ad70674fb5cc2
SSDEEP

786432:iHJVM7eI00aDjVaBWpU+9twridc50wOW6X:ipqeIWDjVo+v9hGItX

Score

10^/10

umbral discovery execution pyinstaller spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1311076635377664100/Sd5KeNZASyDMdGMxVc-eozZlY1pWCcLmuuBn9jPZLNBn1hhDwHX0pimlF0gYZfNv2Fir

Targets

- Target
  
  Netflix Checker.rar
- Size
  
  25.7MB
- MD5
  
  9895ddee8530a319cab875c01c0cd4bb
- SHA1
  
  a1d7e2513eadff4bf9e058c20d76096f39119f5e
- SHA256
  
  c6298c23ea6aa8c78e17a6def30b855884bb0ea5ef9e6623f41c1519c7b1af94
- SHA512
  
  0846d5bb56974d1df235a78a3b2d485a1b46cd1130b8bc73427c744be3b6f8e4b85ae3ab67130798bfbed2f885ef25e373f65df88768180cdb4ad70674fb5cc2
- SSDEEP
  
  786432:iHJVM7eI00aDjVaBWpU+9twridc50wOW6X:ipqeIWDjVo+v9hGItX
Score

10^/10

umbral discovery execution pyinstaller spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallerumbral

behavioral1

umbraldiscoveryexecutionpyinstallerspywarestealer