umbral | 195b749f6f3a16286bbe3670ba44433127072d3597a2bd213fc236b0cd04aa3c | Triage

Sharing

General

Target

Tiktok bot.rar
Size

210KB
Sample

241229-vp2y3avmbt
MD5

902e0907f262eee95a11714d8376f36b
SHA1

1850150b08f1b6d502e36740f0fbc7974341061d
SHA256

195b749f6f3a16286bbe3670ba44433127072d3597a2bd213fc236b0cd04aa3c
SHA512

78e431d12fd41713249e7c59b28af9f76c5c3c2ec97fbcac8bfe66f866aafb9196dca70e69e11dfddd0134c57c42e6980341ab0d5a7a5eb2a1b2ed5fea5570e9
SSDEEP

6144:jf6k84LfIAc1FugPNk/NXj34vmQnNqn+Np4sP1NJ:rfLfIBZNk/NT3smQNqyp4sx

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1320848195156180993/wP0_EL_98Ekp9ZG_B76T1HAnTcTKq2EJhlt6ONQSaeX2qS3W8EKSazTWZlQFKz6nrF4D

Targets

- Target
  
  TiktokBot.exe
- Size
  
  359KB
- MD5
  
  8669778992324151f3e3f6f454a9b7a3
- SHA1
  
  676cfdaf3b5b5e58441a814cabfa8fac3630ef15
- SHA256
  
  fa6e05570392f0c4dfe34ce0469eead7621388809cda5dd5e576c1e1ea6d6339
- SHA512
  
  8d86798a61443a26d16cefbeb0b74beb6837bbfb999a36ece22664b6beae8c2404520b6b4047bbbf52c3b278a2e897836e3b6657c9f082c18ce63d97a4d2e510
- SSDEEP
  
  6144:JloZM+rIkd8g+EtXHkv/iD4I06la43TwjJc6rrSNeb8e1myUi/Uy7P9f6dGYZthv:7oZtL+EP8I06la43TwjJc6rrSoZdnPcC
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionspywarestealer