General
-
Target
Umbral.exe
-
Size
229KB
-
Sample
241222-p7bxpszjgj
-
MD5
6f99ad653049306925da44b34fd12011
-
SHA1
df5d265397a6895efa77bed1478e79784cba7954
-
SHA256
e14be40bad2e07456140fee37d8ca380811886c1c89b0b6e21e8b0f2a33ed663
-
SHA512
89c9c171f1684cab8bd55b971cd69b9370f49d7da743f848b99d68523b89e2810ab033c4f26d539240d185186f72549bfb422b9c65cd7cf5c00f781693b569b8
-
SSDEEP
6144:FloZM+rIkd8g+EtXHkv/iD4YD5JR/k4XRG/BcoN2Nb8e1mFi:HoZtL+EP8YD5JR/k4XRG/BcoNW/
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20241010-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1320373019788709958/grKutKImeSMKAobU3qwqZ5oRo3wj5DJYl9VHxg5Zgp_1o843EeDBvDw0n9iXEfY8rcS1
Targets
-
-
Target
Umbral.exe
-
Size
229KB
-
MD5
6f99ad653049306925da44b34fd12011
-
SHA1
df5d265397a6895efa77bed1478e79784cba7954
-
SHA256
e14be40bad2e07456140fee37d8ca380811886c1c89b0b6e21e8b0f2a33ed663
-
SHA512
89c9c171f1684cab8bd55b971cd69b9370f49d7da743f848b99d68523b89e2810ab033c4f26d539240d185186f72549bfb422b9c65cd7cf5c00f781693b569b8
-
SSDEEP
6144:FloZM+rIkd8g+EtXHkv/iD4YD5JR/k4XRG/BcoN2Nb8e1mFi:HoZtL+EP8YD5JR/k4XRG/BcoNW/
-
Detect Umbral payload
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1