General

  • Target

    Umbral.exe

  • Size

    229KB

  • Sample

    241222-p5dzaaynb1

  • MD5

    6f99ad653049306925da44b34fd12011

  • SHA1

    df5d265397a6895efa77bed1478e79784cba7954

  • SHA256

    e14be40bad2e07456140fee37d8ca380811886c1c89b0b6e21e8b0f2a33ed663

  • SHA512

    89c9c171f1684cab8bd55b971cd69b9370f49d7da743f848b99d68523b89e2810ab033c4f26d539240d185186f72549bfb422b9c65cd7cf5c00f781693b569b8

  • SSDEEP

    6144:FloZM+rIkd8g+EtXHkv/iD4YD5JR/k4XRG/BcoN2Nb8e1mFi:HoZtL+EP8YD5JR/k4XRG/BcoNW/

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1320373019788709958/grKutKImeSMKAobU3qwqZ5oRo3wj5DJYl9VHxg5Zgp_1o843EeDBvDw0n9iXEfY8rcS1

Targets

    • Target

      Umbral.exe

    • Size

      229KB

    • MD5

      6f99ad653049306925da44b34fd12011

    • SHA1

      df5d265397a6895efa77bed1478e79784cba7954

    • SHA256

      e14be40bad2e07456140fee37d8ca380811886c1c89b0b6e21e8b0f2a33ed663

    • SHA512

      89c9c171f1684cab8bd55b971cd69b9370f49d7da743f848b99d68523b89e2810ab033c4f26d539240d185186f72549bfb422b9c65cd7cf5c00f781693b569b8

    • SSDEEP

      6144:FloZM+rIkd8g+EtXHkv/iD4YD5JR/k4XRG/BcoN2Nb8e1mFi:HoZtL+EP8YD5JR/k4XRG/BcoNW/

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks