umbral | 1d27b8e069a17744560a4e66050ab43938b1b9b61770854c0becf7bbb39ba546 | Triage

Sharing

General

Target

menu.exe
Size

429KB
Sample

250217-zq16datjhn
MD5

d26a02891c33b040f2452d54f579ad48
SHA1

31804768215d8c61ab46d146d47daf87bd67a748
SHA256

1d27b8e069a17744560a4e66050ab43938b1b9b61770854c0becf7bbb39ba546
SHA512

0373fc38527e78164937de7b957d8cb952b03a463c6c6445df294963d9949ac4002f947f0f9cb10d8c054825b1131c250ae7582c9be296afcf5e872eed29a417
SSDEEP

6144:yBlkZvaF4NTBtcfBpUwnEPU8QJRtIHYqmuEU2Go56ACLSaC3mWN9Lg00oQBQDsLy:yoSWNT/m3vneuWHPc6ACmJmKJ0oQWgUr

Score

10^/10

umbral defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1337245285906124970/bZ3_ZvAOrPXKKkOLcSzaJTktgaHlH_MDlk4vp0EAIhEj0fgz1GQSR4nw4WAiOieBnrr-

Targets

- Target
  
  menu.exe
- Size
  
  429KB
- MD5
  
  d26a02891c33b040f2452d54f579ad48
- SHA1
  
  31804768215d8c61ab46d146d47daf87bd67a748
- SHA256
  
  1d27b8e069a17744560a4e66050ab43938b1b9b61770854c0becf7bbb39ba546
- SHA512
  
  0373fc38527e78164937de7b957d8cb952b03a463c6c6445df294963d9949ac4002f947f0f9cb10d8c054825b1131c250ae7582c9be296afcf5e872eed29a417
- SSDEEP
  
  6144:yBlkZvaF4NTBtcfBpUwnEPU8QJRtIHYqmuEU2Go56ACLSaC3mWN9Lg00oQBQDsLy:yoSWNT/m3vneuWHPc6ACmJmKJ0oQWgUr
Score

10^/10

umbral defense_evasion discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Deobfuscate/Decode Files or Information
  Payload decoded via CertUtil.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldefense_evasiondiscoveryexecutionspywarestealer

behavioral2

umbraldefense_evasiondiscoveryexecutionspywarestealer