General

  • Target

    ppp.ps1

  • Size

    386KB

  • Sample

    250324-nt9fdasn12

  • MD5

    e45cabf205741f1cede66ad81f8b06fa

  • SHA1

    060dcd47f3b48db25d68a633f7897338834d3612

  • SHA256

    c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942

  • SHA512

    88ab41b280853bc784c1177e05ae2d31369df408c879f9dca4b6ada5d6d18693f5d3299564426e2fa726d99dcfab86cb6599684d2291d6b5e88fa500a5804aa7

  • SSDEEP

    6144:jiQBMJk9Te7tQtEu+jSmJtAO13nRZ79rOSA5C25ljGuVn0O2+ibO8A9e:ejJ8ktQtYGmJt2WUO1

Malware Config

Targets

    • Target

      ppp.ps1

    • Size

      386KB

    • MD5

      e45cabf205741f1cede66ad81f8b06fa

    • SHA1

      060dcd47f3b48db25d68a633f7897338834d3612

    • SHA256

      c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942

    • SHA512

      88ab41b280853bc784c1177e05ae2d31369df408c879f9dca4b6ada5d6d18693f5d3299564426e2fa726d99dcfab86cb6599684d2291d6b5e88fa500a5804aa7

    • SSDEEP

      6144:jiQBMJk9Te7tQtEu+jSmJtAO13nRZ79rOSA5C25ljGuVn0O2+ibO8A9e:ejJ8ktQtYGmJt2WUO1

    • Detect Umbral payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks