umbral | 0c70a683dc7964b4a37b655928d87b172043c8582c3cfce38f69901ec53b3b88 | Triage

Sharing

General

Target

SlinkyByoJuba.zip
Size

17.7MB
Sample

250127-wr81tszqby
MD5

e68e6d381e8f4445e91dfeb32b789470
SHA1

2fd535837fb07143257f4c754fa805f8e998ca55
SHA256

0c70a683dc7964b4a37b655928d87b172043c8582c3cfce38f69901ec53b3b88
SHA512

130260b3afbafcfb33ec70901fe64075e855b88a23725d9d74404f63a4fb7de3b59f0fc1fadb406297b84e205532443bed86ed49a551522211167f075378569f
SSDEEP

393216:Vw5OSsqSxtps6zoLeU3723b5VrefnJg5vd6wMyXuJKKYfgzCam:VjSktphiN3G5Vr4JgdduyXuQKYfgGam

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Targets

- Target
  
  Slinky/slink/load.exe
- Size
  
  17.8MB
- MD5
  
  86d4579d1dbfd7be291f5d198d805398
- SHA1
  
  8636bb288af7549f10d50eba8f8a4489ffee4222
- SHA256
  
  d0e0881cc1edb247c39628fbcaec00fae6ec3617bde0869538aed888f4e6a63a
- SHA512
  
  0ae111f7761778429b6e93ecbd4547a3280c52dfba781c42cf37e046cfe440d69d49a3caa8d3a58f6013b644e80e908fdbd7415340b764f6a4900806aceb877c
- SSDEEP
  
  393216:YQsUy4Ln/msXQDkaxfqTJ9h7yXVHM5dzI2UeHqrCMMDcbiK3:nsun/3GTxW9h7G5M7z2eHqeMMDcWK3
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionspywarestealer

behavioral2

umbraldiscoveryexecutionspywarestealer