General
-
Target
resembleC2.exe
-
Size
763KB
-
Sample
250112-dypxestqdy
-
MD5
f70fb0eacdba5672bd67ff9ad29e425b
-
SHA1
35c7ad26473afb12c8b46dfb51f3e0d73b92a7eb
-
SHA256
325ec7369a18af43c95815bacf830f5bcd1093436c25f67685226fe0d4812280
-
SHA512
e93012796de946c4b009d9c68a539ea010d88952c11ddd0fc05d3d4ebe1657f16a7f75269e2c6075c12564f40752c7f4aec0c64583ffb46d06ec69431e5f6ff5
-
SSDEEP
12288:wjB1GbyBRc8nAVCCpViLkSdIi/NvFFuHtHylX5mmYKlzQUG1R9qRst2hmKyL/mVD:wjB1myBRccwf/SdNFvFFu1yh5zlzY1RS
Malware Config
Targets
-
-
Target
resembleC2.exe
-
Size
763KB
-
MD5
f70fb0eacdba5672bd67ff9ad29e425b
-
SHA1
35c7ad26473afb12c8b46dfb51f3e0d73b92a7eb
-
SHA256
325ec7369a18af43c95815bacf830f5bcd1093436c25f67685226fe0d4812280
-
SHA512
e93012796de946c4b009d9c68a539ea010d88952c11ddd0fc05d3d4ebe1657f16a7f75269e2c6075c12564f40752c7f4aec0c64583ffb46d06ec69431e5f6ff5
-
SSDEEP
12288:wjB1GbyBRc8nAVCCpViLkSdIi/NvFFuHtHylX5mmYKlzQUG1R9qRst2hmKyL/mVD:wjB1myBRccwf/SdNFvFFu1yh5zlzY1RS
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1