umbral | Plague (by Cami)(1)[.]zip | Triage

Sharing

General

Target

Plague (by Cami)(1).zip
Size

146KB
MD5

190f8bf21b950681ea855be5a74b50f2
SHA1

0204b292bc7b4f77538d228275944c687b49d655
SHA256

7b12f8e98a56c0cab6238c8a60857085bd5c33769384a0b1d6e20a0322fc0626
SHA512

1db6b066dad5c0a0e45479d4798472f043cf782c57f0fe643f57f777c5ee92fe5438dfd8beddd547657105eda949592308c6908c9308ba0f13f5f101f4fffc63
SSDEEP

3072:ucRQIF79qsYSglcVj0NkZfFHXA534KIrY73S7SdM+TJDV6yNRO:NR3FpxVj0KTHJYusJDVpRO

Score

10^/10

umbral

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1320670806732443668/0UUFqtoA2NYbVd7AdArv9rqvm_ZtjizgTVjt1FN3pY9Y8uP9gOvvZAT-Am6P5vPKkoge

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
static1/unpack001/MVPLoader.exe	family_umbral

Umbral family
umbral

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/MVPLoader.exe

Files

Plague (by Cami)(1).zip
.zip

Password: 123123
MVPLoader.exe
.exe windows:4 windows x86 arch:x86

Password: 123123

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PlagueCrack.dll
cfg/BEST
cfg/Fonk
cfg/INK cfg
cfg/ebatnl
cfg/legithui
cfg/lexacfg
cfg/pivo
cfg/rage
cfg/semi
cfg/snus
читай.txt