umbral | c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942 | Triage

Sharing

General

Target

ppp.ps1
Size

386KB
Sample

250324-nt9fdasn12
MD5

e45cabf205741f1cede66ad81f8b06fa
SHA1

060dcd47f3b48db25d68a633f7897338834d3612
SHA256

c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942
SHA512

88ab41b280853bc784c1177e05ae2d31369df408c879f9dca4b6ada5d6d18693f5d3299564426e2fa726d99dcfab86cb6599684d2291d6b5e88fa500a5804aa7
SSDEEP

6144:jiQBMJk9Te7tQtEu+jSmJtAO13nRZ79rOSA5C25ljGuVn0O2+ibO8A9e:ejJ8ktQtYGmJt2WUO1

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Targets

- Target
  
  ppp.ps1
- Size
  
  386KB
- MD5
  
  e45cabf205741f1cede66ad81f8b06fa
- SHA1
  
  060dcd47f3b48db25d68a633f7897338834d3612
- SHA256
  
  c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942
- SHA512
  
  88ab41b280853bc784c1177e05ae2d31369df408c879f9dca4b6ada5d6d18693f5d3299564426e2fa726d99dcfab86cb6599684d2291d6b5e88fa500a5804aa7
- SSDEEP
  
  6144:jiQBMJk9Te7tQtEu+jSmJtAO13nRZ79rOSA5C25ljGuVn0O2+ibO8A9e:ejJ8ktQtYGmJt2WUO1
Score

10^/10

discovery execution umbral spyware stealer
- Detect Umbral payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

umbraldiscoveryexecutionspywarestealer