General

  • Target

    citizen.exe

  • Size

    229KB

  • Sample

    241222-wz9mbsvrgn

  • MD5

    fdb0b8617cf84e37b6eb3d7d33fb2bc4

  • SHA1

    57d7ec3221470c30aaebd8c76a55daef900bfd07

  • SHA256

    ee7e7ac852c19524db20655a03bffdbcc34a26771fd3bbee1aa7b9c25e0e16b1

  • SHA512

    1f6d657bf33b08fae291b857e21055a3c3e2398d4b6d42ff764c9f95949441af79bf18a2602af0a7568eeccd0e5d47311c1838200e5ae2111b36176326e457fe

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD4n9w7U69VeAbGkFZwQZb8e1mRhMi:noZtL+EP8n9w7U69VeAbGkFZwgO

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1320449525479116871/2nl-lNOK3OOL4EJWAlWs6L8xzpybWJnH8mXfik2A0wv5WNXkWlF6IMTk5TGCt541XUdR

Targets

    • Target

      citizen.exe

    • Size

      229KB

    • MD5

      fdb0b8617cf84e37b6eb3d7d33fb2bc4

    • SHA1

      57d7ec3221470c30aaebd8c76a55daef900bfd07

    • SHA256

      ee7e7ac852c19524db20655a03bffdbcc34a26771fd3bbee1aa7b9c25e0e16b1

    • SHA512

      1f6d657bf33b08fae291b857e21055a3c3e2398d4b6d42ff764c9f95949441af79bf18a2602af0a7568eeccd0e5d47311c1838200e5ae2111b36176326e457fe

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD4n9w7U69VeAbGkFZwQZb8e1mRhMi:noZtL+EP8n9w7U69VeAbGkFZwgO

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks