General
-
Target
citizen.exe
-
Size
229KB
-
Sample
241222-wz9mbsvrgn
-
MD5
fdb0b8617cf84e37b6eb3d7d33fb2bc4
-
SHA1
57d7ec3221470c30aaebd8c76a55daef900bfd07
-
SHA256
ee7e7ac852c19524db20655a03bffdbcc34a26771fd3bbee1aa7b9c25e0e16b1
-
SHA512
1f6d657bf33b08fae291b857e21055a3c3e2398d4b6d42ff764c9f95949441af79bf18a2602af0a7568eeccd0e5d47311c1838200e5ae2111b36176326e457fe
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4n9w7U69VeAbGkFZwQZb8e1mRhMi:noZtL+EP8n9w7U69VeAbGkFZwgO
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1320449525479116871/2nl-lNOK3OOL4EJWAlWs6L8xzpybWJnH8mXfik2A0wv5WNXkWlF6IMTk5TGCt541XUdR
Targets
-
-
Target
citizen.exe
-
Size
229KB
-
MD5
fdb0b8617cf84e37b6eb3d7d33fb2bc4
-
SHA1
57d7ec3221470c30aaebd8c76a55daef900bfd07
-
SHA256
ee7e7ac852c19524db20655a03bffdbcc34a26771fd3bbee1aa7b9c25e0e16b1
-
SHA512
1f6d657bf33b08fae291b857e21055a3c3e2398d4b6d42ff764c9f95949441af79bf18a2602af0a7568eeccd0e5d47311c1838200e5ae2111b36176326e457fe
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4n9w7U69VeAbGkFZwQZb8e1mRhMi:noZtL+EP8n9w7U69VeAbGkFZwgO
-
Detect Umbral payload
-
Umbral family
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1