General

  • Target

    MVPLoader.exe

  • Size

    296KB

  • Sample

    241223-yttd9szlay

  • MD5

    a003b413af774f804d4636f1c548432d

  • SHA1

    1278d0575f8f693f525b0c9382b9eb6c5a01f1f7

  • SHA256

    701bcfb85c1c91cba00d1ab6642071739621b886e79255d874dd0def2adbe6b6

  • SHA512

    9abbc1dae91f85e8565905cb78e7266e7dfa1a6c98e3c80dd2ad9e6d6fd955bd28b7b908c802c74a8e6960b98e85c4d040aa7e01adc0babb841634c339db79d6

  • SSDEEP

    6144:9loZMCrIkd8g+EtXHkv/iD4uDwGPlO2Z0c1niinghb8e1mbietLjth6t0stcOtKc:foZZL+EP8uDwGPlO2Z0c1niingtK

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1320670806732443668/0UUFqtoA2NYbVd7AdArv9rqvm_ZtjizgTVjt1FN3pY9Y8uP9gOvvZAT-Am6P5vPKkoge

Targets

    • Target

      MVPLoader.exe

    • Size

      296KB

    • MD5

      a003b413af774f804d4636f1c548432d

    • SHA1

      1278d0575f8f693f525b0c9382b9eb6c5a01f1f7

    • SHA256

      701bcfb85c1c91cba00d1ab6642071739621b886e79255d874dd0def2adbe6b6

    • SHA512

      9abbc1dae91f85e8565905cb78e7266e7dfa1a6c98e3c80dd2ad9e6d6fd955bd28b7b908c802c74a8e6960b98e85c4d040aa7e01adc0babb841634c339db79d6

    • SSDEEP

      6144:9loZMCrIkd8g+EtXHkv/iD4uDwGPlO2Z0c1niinghb8e1mbietLjth6t0stcOtKc:foZZL+EP8uDwGPlO2Z0c1niingtK

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks