General
-
Target
Loader (123).zip
-
Size
88KB
-
Sample
250121-a5vjpsxpep
-
MD5
8af750e77d942f7c6ad712b3fc0e116a
-
SHA1
a345976cbd735bba51a8f7531896b10bbf6c2dc9
-
SHA256
6a4fcfa665df00fc6999864ba0979baf7b702366bee72f25e54ab8497ddf4ed4
-
SHA512
7680b16288d7061ab73bd3415a3275d3d8468eff3e9fe93ed3d62e2717811fdb92c0c1a347827a52a08a4cfa7aa9beb1ee06f1d257c1b7a46846d969fd80ff69
-
SSDEEP
1536:EPznw5/Ir67Z296c3qYLfP+lGk3xyOr+/dBsfGwqU/CHujqFd7egBBIfnbK:EPz8Ar61oJ6SWgk3x3r+/Y5l/CHDVE+
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1329920564365885513/QoIgOCKNLFA4sABul_Bes4LgikBk1Yiy5mBgCkfBzaW0yujdTDakv5W_NAeetx1oEHur
Targets
-
-
Target
Loader.exe
-
Size
229KB
-
MD5
557fb114d1230615723db900b54ca491
-
SHA1
bfbe71aaacb3121f53064b56f2a9ffdbce80c629
-
SHA256
aaa81611974a919396e98e4b8f8f88214ed08019b41ecc78d9617ae1691085f1
-
SHA512
fb5bb29b10069e394b59a11296bd2d90ec3bb0b47c495d2bc1a12efba175e061649213ac01af39fcc75ed9bf4fd8c3b833ef833535c45b80ccbfdac3d73f38b9
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4r6FnR/k4XcG/BcoNCjMb8e1mmo6i:noZtL+EP8r6FnR/k4XcG/BcoNTW
-
Detect Umbral payload
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1