umbral

General

Target

ezyZip.zip
Size

8.6MB
Sample

250202-g8mrlazkez
MD5

10644e9fbb865954cb3920e7639ab83e
SHA1

3e3e2cc69edae758aa4ad8f5130f306a072f6e71
SHA256

7ac8bbf9ddb9f60f638fa6bb9ef47638f764215a46cc99b2d8e7acc5c9c3845d
SHA512

1d18b1ad592aebe6b4e9605c6f4b59b55ecc251fddbf62958604ab0046e25f08122ab846b16074d3fc2c11b76acc4e3e86d2230629504097ad8f13263b840b38
SSDEEP

196608:YuE8cnOrjo5aDsSY11AZmNsJt72gEsbOCcTAfSQ2x+U:zEDnQjwH8ZmNsJj3yCcEgx+U

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1182426407264079972/o3zZrcc3EHaKos3IwlspSzlJZKZ2PVpcto6fg_aw5bgo-Vs7Ryz7by3xNz9BTpSrrOe8

Targets

- Target
  
  ezyZip/DiscordTokenLogin.exe
- Size
  
  229KB
- MD5
  
  fb717bb7603af22c74da4274a86cd934
- SHA1
  
  3d52d7c7ee6140b5129041790035b2c119be2ed0
- SHA256
  
  54a046d40c1986f4a9f360141e19c2f8b7c2c46e1eb1725b5fe75c3ee58e370c
- SHA512
  
  69795bcd71eba343b6417b484e65f68cde94a18de6bb8b46888b89b61e0d936d6c68092e37029f04372d9c94c04f03ed13ab91d94c5e64801499aeb3562a64c0
- SSDEEP
  
  6144:tloZM+rIkd8g+EtXHkv/iD40GqmAmB5K+/Cwhl09tb8e1m4i:voZtL+EP80GqmAmB5K+/Cwhl0nS
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  ezyZip/s.exe
- Size
  
  8.7MB
- MD5
  
  28dd8b34ed8dfe316d67c7ee947cef65
- SHA1
  
  46313778087e4d026daa8546324e3c877e62d2d1
- SHA256
  
  f0b8ecf1dc41679239ef9c0405cd78f385e490a6abd6768d58834d8082181eee
- SHA512
  
  81924613cca36be73affd5821b4edfceb858b6809d2d0fcfd7f5d63a4de3b1f867134748dc221a1a893b3dfe03a3ced86452981737b20c45d01134d41eba51d9
- SSDEEP
  
  196608:NmeMO0Qn0A1HeT39IigceE9TFa0Z8DOjCdylmQeWapovQhso0w:dr0QnN1+TtIi8Y9Z8D8CclmEYoYaw
Score

7^/10
- Loads dropped DLL
behavioral3 behavioral4