General
-
Target
MVPLoader.exe
-
Size
296KB
-
Sample
241223-yttd9szlay
-
MD5
a003b413af774f804d4636f1c548432d
-
SHA1
1278d0575f8f693f525b0c9382b9eb6c5a01f1f7
-
SHA256
701bcfb85c1c91cba00d1ab6642071739621b886e79255d874dd0def2adbe6b6
-
SHA512
9abbc1dae91f85e8565905cb78e7266e7dfa1a6c98e3c80dd2ad9e6d6fd955bd28b7b908c802c74a8e6960b98e85c4d040aa7e01adc0babb841634c339db79d6
-
SSDEEP
6144:9loZMCrIkd8g+EtXHkv/iD4uDwGPlO2Z0c1niinghb8e1mbietLjth6t0stcOtKc:foZZL+EP8uDwGPlO2Z0c1niingtK
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1320670806732443668/0UUFqtoA2NYbVd7AdArv9rqvm_ZtjizgTVjt1FN3pY9Y8uP9gOvvZAT-Am6P5vPKkoge
Targets
-
-
Target
MVPLoader.exe
-
Size
296KB
-
MD5
a003b413af774f804d4636f1c548432d
-
SHA1
1278d0575f8f693f525b0c9382b9eb6c5a01f1f7
-
SHA256
701bcfb85c1c91cba00d1ab6642071739621b886e79255d874dd0def2adbe6b6
-
SHA512
9abbc1dae91f85e8565905cb78e7266e7dfa1a6c98e3c80dd2ad9e6d6fd955bd28b7b908c802c74a8e6960b98e85c4d040aa7e01adc0babb841634c339db79d6
-
SSDEEP
6144:9loZMCrIkd8g+EtXHkv/iD4uDwGPlO2Z0c1niinghb8e1mbietLjth6t0stcOtKc:foZZL+EP8uDwGPlO2Z0c1niingtK
-
Detect Umbral payload
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-