General
-
Target
88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22
-
Size
3.0MB
-
Sample
241213-lh1yratqbx
-
MD5
1335a17d311b929988693fb526dc4717
-
SHA1
062830cb07ce430fe049627e001ef23fba8ba351
-
SHA256
88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22
-
SHA512
4a4496ed95c7ff13e8735646a6b8c478742a2f152a3733122fcbac54c0cd7c04571acae789c2ac67dc07d542663290c9e32b3335827e122470d8b887477d7bab
-
SSDEEP
49152:NguQhMOPX5M+RXNM5428gYbM8gkw0Q4qAew+0Fr95s9e54OyRGEK2+qc2LBhW:6/hMOP2a9MLiVed0Zqe54OCGL2NLPW
Behavioral task
behavioral1
Sample
88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22.exe
Resource
win7-20241023-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1118163594568286339/M-x5dkJ7qP3mQPZTzttw8LKBX9G63bPw9edrYMRuBg3sffUGWg-W4EW9HaBcdak0-wis
Targets
-
-
Target
88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22
-
Size
3.0MB
-
MD5
1335a17d311b929988693fb526dc4717
-
SHA1
062830cb07ce430fe049627e001ef23fba8ba351
-
SHA256
88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22
-
SHA512
4a4496ed95c7ff13e8735646a6b8c478742a2f152a3733122fcbac54c0cd7c04571acae789c2ac67dc07d542663290c9e32b3335827e122470d8b887477d7bab
-
SSDEEP
49152:NguQhMOPX5M+RXNM5428gYbM8gkw0Q4qAew+0Fr95s9e54OyRGEK2+qc2LBhW:6/hMOP2a9MLiVed0Zqe54OCGL2NLPW
-
Detect Umbral payload
-
Umbral family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1