General
-
Target
NursultanCrack (1) (infected).7z
-
Size
137KB
-
Sample
250108-jhrzqssneq
-
MD5
14c37a2a724581c73fd4928ea6ce79d2
-
SHA1
29f1e4add85fd14b5dca67a9764d892ac5b774ce
-
SHA256
3f3f40a638516bc45b945327b7a0c7e38eff9856a8339ad3ce87a518fc7ef841
-
SHA512
3d4c9b97b128c910a5d9dad34a4c1e79e280cbec83f48986258e219a88ad074b4e9854afad8d671f36fd7f6c0a604e5e569bd08ce94620ebdda63e3212eeb72a
-
SSDEEP
3072:l0t+YlzLFIij5OwEBnTf/VyOVG1uky7yyrB+Cgasyu:GUkCg55E5THsgkwrnsyu
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1325868562266456138/Fb8Y4qevEOUbXCkXdG1TkC-plAz86vmHIh3tYZpDLWl2Vw3JwlAAyaTDkfuZVfIqJpfk
Targets
-
-
Target
NursultanCrack (1).exe
-
Size
495KB
-
MD5
cb249dd007048cc05e604f34918ed5ea
-
SHA1
78e9fceb07dd0d42e599ecb0629bf37f0461a1b0
-
SHA256
3904bfb037ab43097536ee9d9797e6cd8d4282390af91aa554f92d0f6885bd12
-
SHA512
1a2fe75f87c6386ee11d1865d7f15704f68a3756cfe4015b5c882d012ac48710fb877dfeb9dd1ac7a31e5225aeb0fdc027fcc37de360b37955c64b9de457f154
-
SSDEEP
12288:doZ1tlRk83MlUpRhgMS1Nmdzus9x41Ib7idvMk0SVMl5tYyQ:G5r3PRCMS1Nmdzus9x416SMk0GMl5tYh
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1