umbral

General

Target

Slinkyinfected.zip
Size

35.0MB
Sample

241230-lvl1cstrhm
MD5

dd023f6d41f8f2f06f959da73f6155de
SHA1

64c0cb253073cb4314a6b8491d05e6338d41b6c1
SHA256

e8ca7b16e9cf6d75c2cda06a34f001d9da94a2de407758837aa77dc5d79b22f9
SHA512

04dbd52a1f19623d14d4d501840690a107b3b8141404cccda5b5477a5bb60ef4e5eea5e6954305b5d34382a38894dc27bfe0b2fa1b90b15ddea9ec1475915380
SSDEEP

786432:JFUtju4TxpFDi94Z9dF76v6NhEzGZ1I73hsSACyeCBDC:nYjra9mtDVIrhHvoC

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1322057974423879721/ppnP8pHnxtdpRKXhmSvr5P5fSuReYWB-wOyejU-UoO8N-THaRLkzhWKfqcTncT10ncbf

Targets

- Target
  
  Slinky/load.exe
- Size
  
  17.6MB
- MD5
  
  fe9f1266ea6a28f18c8165e625d3f9ce
- SHA1
  
  99ef957f3eb31480257be461ebebc200f5018b94
- SHA256
  
  6808d24ab0ea5dbafec1ef8bc5b01421aeb1f9817972bc6df415ed935461de61
- SHA512
  
  fabe0e4d25bb2bd74dcf2ea71dd5163b87a117cd28809bd05ebc8ad08bfcf4682236fb980a6e5affd0c8737acae1b7c0f14ed01bc734c273660c8b0c7038eb82
- SSDEEP
  
  393216:YQtOfDiM8m+J6/lSZRNw2nuNS3NzOZRumEJyb6BF0j6bxPJCX:DO+2/UZRN0QdzOZAmEGGj1PJCX
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Slinky/slinky_library.dll
- Size
  
  18.1MB
- MD5
  
  44b5e89a9f7bab889a4df60042872f17
- SHA1
  
  cfc40cd4fdbda75d3ed52952c500d8ccc12f4a36
- SHA256
  
  16745ae6670eba8a452a5e75fa6142564d31bd3b7d14766e04f1acb214f65703
- SHA512
  
  7f18545da3e4fa726ec33345f7dc137eedf4961a1bd0582b51ee2258a6d5a115187a4e72ec3c7b6d29e33b0a4aa2560adec1833b4bda3f00a7b194ea71d95188
- SSDEEP
  
  393216:kKRqNWNKROYkhkpXorNv+oXsDS3LNK3HOU6x0pW/lJktSrZPLAB:HANWKRrpYrNvou7NK3uU6E29dPL
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Slinky/slinkyhook.dll
- Size
  
  228KB
- MD5
  
  6d8c17c67970cb5841811eed8adffffc
- SHA1
  
  c869ab32318a035e51aff8e5e11b4cd25fb52a4f
- SHA256
  
  7c4234fac3b6b3e96dace1e71c7a952ec67e3839f90f7a88a9ea283bf88d25b8
- SHA512
  
  7d2a0ffcd72c8bf4a96b2ed722d7119749ec14f5d7e6a601cb6ae4a5b1c4a652b694158f01da340e3ca4751cabd0a56c42bf739d8b421e36937f3691b3b80c72
- SSDEEP
  
  3072:hXxN1I6PgabbAzVxPLI5oIa5amK/1o4ptgELHY1lNyc+m+e7P26g66OVuknsDe0u:hhN1GFZq/15tFc+m97ieuknsDu
Score

1^/10
behavioral5 behavioral6