umbral

Sharing

Copy URL

Twitter E-mail

General

Target

Pass 8864.zip
Size

4.7MB
Sample

241226-wf87fstjcz
MD5

0178e791918b66c56ac8359005ebb979
SHA1

bcc3b8045526f713e8ccefaa1050ab8fdaf53a45
SHA256

2592ac7a76bc435a210d3646794abf0a654937d0ce6553ebc14982480a169433
SHA512

1dd950696d69a59fc944d8a809390dc352a13338e0e5cf81e1e274b0e04c6858cb877cb4da2c358329e017f9e2b33981611e806075cb3e1f8e3149b47a6d1bde
SSDEEP

98304:RlBiFzdYGiwC+zNIfwvilltOrnmeZ0ARLuq6ZIfPHUXeH4gdkYlfnCeK60Usv:RI/ir2vr6CuF1X2Rdk4hKI4

Score

10^/10

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1320456077468368906/F7rw766V_H8a2Z__0yhCNo12vx-Ia2NeCg2Ds_H44T5Cf5iiyVYLb09YSN1sfOYJwp1p

Targets

- Target
  
  Pass 8864/Argon/Argon.exe
- Size
  
  229KB
- MD5
  
  0141daae60d7dd08a86fc4789cfb3689
- SHA1
  
  791d4a8f158313d355fad6dafa158407e80581bf
- SHA256
  
  d22b7b3b76496cda8bcad31dce4b2b3ab5ed3b91926d744982e492e5b39cf296
- SHA512
  
  74255f2cbb6345b4aefd7822587ca9503da2e49d41bb4306eca4e6ef96293b0f1c7e3173c8eb27aac54c1b0abebb8306d0e1d4b9aa824b153a8cd563a6640f9c
- SSDEEP
  
  6144:FloZM0rIkd8g+EtXHkv/iD4+2S86YXzQUp8aLLyuOb8e1msi8i:HoZDL+EP8+2S86YXzQUp8aLLylA
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Pass 8864/Argon/Microsoft.Web.WebView2.Core.dll
- Size
  
  589KB
- MD5
  
  a53ba26a25f78f512cb2f393f9c96463
- SHA1
  
  4176d5607859817a0b44a253c34f7edb3a46f21e
- SHA256
  
  88a3b62f45225a811cdb85df6dfd95c2bff9a0e43e3b04f813b125eaca56cc9f
- SHA512
  
  df1cd812fce4a46cae7f4d59256a12732367d16981b01f1067d58966d6612ae102eaa274fc3c9ac21aeb0422cf09ac1232fbe2b74d1daf6c76489f6e8de16751
- SSDEEP
  
  12288:WrCyR/rpQ322fy+uFKcDmuRFNEMzeu+imQ269pRFZNIEJdIEY0lxEIPrEIgcvLc6:Va7
Score

1^/10
behavioral3 behavioral4
- Target
  
  Pass 8864/Argon/Microsoft.Web.WebView2.WinForms.dll
- Size
  
  37KB
- MD5
  
  92acec9aed00f134ba86a0f7c496f26c
- SHA1
  
  3cd10e0afdd7955716a83d5f5d59859c6f7c7353
- SHA256
  
  29fc954c3fde1749817d158f3dd5ebe9efd3b3ce9708d86092fb1e9f023a1cb0
- SHA512
  
  4e11772afa9282c2f5f2565b0e908102fc8d0a08c40ca57587c338698e9ab747ff5a1673d32b6cd09d7b22b0e6c2836f1324ec8257e5223754595160a4c28ad2
- SSDEEP
  
  768:umgRNRbnIfWuJCRfXBkrQYZDgcEST3p4Jjrjh2jeFSUyauTv1JKia5/Zi/WG4KgL:XQR20BUQYZDgcEST3p4JjrjaeFSUyauO
Score

1^/10
behavioral5 behavioral6
- Target
  
  Pass 8864/Argon/Microsoft.Web.WebView2.Wpf.dll
- Size
  
  81KB
- MD5
  
  b98c511e0f75434a66d9bf0efd1795db
- SHA1
  
  515c6c1627775ce5149b410f4b19a2f25b41b2a8
- SHA256
  
  1c5b6c792916d168093ef9b836f33e818d2d15d0c81f0864b5cddff97d913319
- SHA512
  
  73fc64485db816be0bf135c7740ee916836c3bf03caabb85a1be7c5b3a4862cc1caa4975944cfd670f1cc2d90ae7c305cbea3dd9f27633244c51e5efcbaed2cd
- SSDEEP
  
  1536:jmJUzMJcumSzTIudfRz+Ohsha87Y1DHfFWyEb30mpc4Jjr4YeUqRHhwU0fdwzvUe:YUzMJNzTIudB+Oh0a8+DHfFC30mpc4JY
Score

1^/10
behavioral7 behavioral8
- Target
  
  Pass 8864/Argon/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral10 behavioral9
- Target
  
  Pass 8864/Argon/bin/Atlantis.dll
- Size
  
  6.0MB
- MD5
  
  cbf096a7133c07f1a19efde61c1aca13
- SHA1
  
  55e3f5a470101a291f992a24d2e370ba15b039ca
- SHA256
  
  00243e13c5a23ceaa06618d2770a320038bd24a69d0252dcca09e74b5d6a0013
- SHA512
  
  d9f5d9a34e86502fee87df15b13069284cf5fc7375e9d3c73011ee290e5dbfec0b137e93593f1b4227c0707df6255a4e2bc569325289735137eb07183abc58b3
- SSDEEP
  
  98304:8j+/n7qBMK1BhXDn3nmDDyJa84v2aZoEmcLo3:aon1K1BhXDn3mDDyJa84v2aZtJLa
Score

1^/10
behavioral11 behavioral12
- Target
  
  Pass 8864/Argon/bin/oRniz4vtL94l.exe
- Size
  
  4.1MB
- MD5
  
  cd2cf251993d02bba6c82ceef9771dd8
- SHA1
  
  e9695d027a4babf1a3d5c2b900d69d1213dd160e
- SHA256
  
  8241f49cd516cc727a9f24a56c9fcca5d14fab162d00a17514e662238043178a
- SHA512
  
  b5ffaf85f09451bef239ba7fd11361368e0750b9c9aa6b29f6450acd3a079ccb9f5a5045c0115268f731c4e82888867925f67c466626cd84d5a350b7ee3e7687
- SSDEEP
  
  49152:rvVwASOvGtlqkbXPySBQnGkKX2M1m/RbtcJrzVX68TsgdVMuQni+e3d5RPPezNdx:KfySBQnGkKX2/pafVXIgml6tqq+b1
Score

1^/10
behavioral13 behavioral14
- Target
  
  Pass 8864/Argon/fix exploit.bat
- Size
  
  1KB
- MD5
  
  5289fa561dcb8647582896af6528671a
- SHA1
  
  fda5871c543e9986194aa7c027aad8206d9bbe4a
- SHA256
  
  762048396be01b02e2fb949f4276179732da23799cfb715600e333d7597475bc
- SHA512
  
  f8e90026dce457483ef7a5f5341bfb54a16432457e1139b5d8f4a6d18374e05668e7e4f1248dba0ed23ce036261803094b295493eac03fcb56859d5c3fe7b679
Score

1^/10
behavioral15 behavioral16
- Target
  
  Pass 8864/Argon/message.bat
- Size
  
  356B
- MD5
  
  c76645f1baab3397fc8ea7200d3bb908
- SHA1
  
  1a5b47e2ba0cbe028cf20d5d949db616c9b18788
- SHA256
  
  17165f9adf2601664b8f6fdbf87749f46fe53c1eccdb9a1e2fad4f46ab8dd967
- SHA512
  
  1c422db62279267536fbd615f90bd2648f238599e1a7063834de23e11c7219cf176df0be671cfb7f08a9d7f52a387fb936ae3e2e85446156284fdce422300c7f
Score

1^/10
behavioral17 behavioral18
- Target
  
  Pass 8864/Argon/runtimes/win-x64/native/WebView2Loader.dll
- Size
  
  162KB
- MD5
  
  c9a5d0f278d57d83a03404b8baeeac64
- SHA1
  
  39d44b999c1d89c36136804a373d4d427bc7d679
- SHA256
  
  462b36fd1be6ca9f7563466a89e57c41ef4a4def3e0a84fa885d203aea4a3aaf
- SHA512
  
  97dfb08eae34624b7679a4bb07dee242b2a38324dc13b8aaec6de7f6fed477e9f9bc7474d4df9fbe907d1a460723db7177b7128a26edf5bd73d38d4d45722db6
- SSDEEP
  
  3072:fXAne8TlTRTSpL1ThTNTRyMDjRb/hy75HGRtVBviiZsZ5AalCPTxiEtJx9eg8Xjm:/yTlTRTUL1ThTNTRyeLq1GRtVBvPZsrw
Score

1^/10
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Umbral payload

Umbral family

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20