General

  • Target

    Loader (123).zip

  • Size

    88KB

  • Sample

    250121-a5vjpsxpep

  • MD5

    8af750e77d942f7c6ad712b3fc0e116a

  • SHA1

    a345976cbd735bba51a8f7531896b10bbf6c2dc9

  • SHA256

    6a4fcfa665df00fc6999864ba0979baf7b702366bee72f25e54ab8497ddf4ed4

  • SHA512

    7680b16288d7061ab73bd3415a3275d3d8468eff3e9fe93ed3d62e2717811fdb92c0c1a347827a52a08a4cfa7aa9beb1ee06f1d257c1b7a46846d969fd80ff69

  • SSDEEP

    1536:EPznw5/Ir67Z296c3qYLfP+lGk3xyOr+/dBsfGwqU/CHujqFd7egBBIfnbK:EPz8Ar61oJ6SWgk3x3r+/Y5l/CHDVE+

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1329920564365885513/QoIgOCKNLFA4sABul_Bes4LgikBk1Yiy5mBgCkfBzaW0yujdTDakv5W_NAeetx1oEHur

Targets

    • Target

      Loader.exe

    • Size

      229KB

    • MD5

      557fb114d1230615723db900b54ca491

    • SHA1

      bfbe71aaacb3121f53064b56f2a9ffdbce80c629

    • SHA256

      aaa81611974a919396e98e4b8f8f88214ed08019b41ecc78d9617ae1691085f1

    • SHA512

      fb5bb29b10069e394b59a11296bd2d90ec3bb0b47c495d2bc1a12efba175e061649213ac01af39fcc75ed9bf4fd8c3b833ef833535c45b80ccbfdac3d73f38b9

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD4r6FnR/k4XcG/BcoNCjMb8e1mmo6i:noZtL+EP8r6FnR/k4XcG/BcoNTW

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks