General

  • Target

    cracked.exe

  • Size

    229KB

  • Sample

    241224-c97e6szpfj

  • MD5

    e941fef6437ebb3b18df7044629faedd

  • SHA1

    0d8cc95e67e90a8ddbde143c2b5bf29110c1cad0

  • SHA256

    38c5af139cb98a163fe82158dfe5de0cb857df418770ef31427b0b43caac9fb6

  • SHA512

    2dc2c387cdd7f37e0a6d69a1b3afbde0fc98bcb689ffb7ee107c79637b1d8d823ac2af468c2d13c8a01a19accbacda4fcafec3362f573a1f0715c516f8a1ebef

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD4KC7/8il92jDe8NhoeZb8e1mpRi:noZtL+EP8KC7/8il92jDe8NhoKh

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1319845998314524734/saSJjTUgQLHMOu_uXIniCOIYDQzBSak4d60LGsgzb1KyXekiJw8--U2c--b8kiqEzhj8

Targets

    • Target

      cracked.exe

    • Size

      229KB

    • MD5

      e941fef6437ebb3b18df7044629faedd

    • SHA1

      0d8cc95e67e90a8ddbde143c2b5bf29110c1cad0

    • SHA256

      38c5af139cb98a163fe82158dfe5de0cb857df418770ef31427b0b43caac9fb6

    • SHA512

      2dc2c387cdd7f37e0a6d69a1b3afbde0fc98bcb689ffb7ee107c79637b1d8d823ac2af468c2d13c8a01a19accbacda4fcafec3362f573a1f0715c516f8a1ebef

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD4KC7/8il92jDe8NhoeZb8e1mpRi:noZtL+EP8KC7/8il92jDe8NhoKh

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks