General
-
Target
ZIP-2.zip
-
Size
91KB
-
Sample
250325-y2n5hsvrz2
-
MD5
bc012fa26d5fcd67a2b2056adfac97e4
-
SHA1
f46d850bf4c94e5732ab2141617d6622aa85de3e
-
SHA256
61a29cd27dd6aeac57e0ca467a3f87a04e4a7a122434d5db495cf34c7097f9e8
-
SHA512
eb14c54a7daded6ce91508348b809be1e2834bbcf5fba3c8170f8584fa9d2b298f2f9861d4e28e965247269e75df0b9cd892a3e29c6a9353979717992ca283d0
-
SSDEEP
1536:m3iw5aFnf96r+wif9Rfk7iv7VsDT2qYS0eA0IO9Bd9zQmyq7o2kgx1Zp9kIODiXm:m3i8aN9xwKQiv7KWj7FzO19cvqEgXBNI
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw
Targets
-
-
Target
Umbral.exe
-
Size
229KB
-
MD5
fdb6c9cdf5605efda3e45942dad869d4
-
SHA1
8022afe157b98ad5fd5ead6f17ce35caff40b168
-
SHA256
bea3c8ebdb0c815aff349ef6ad6f0d92751ae62e4ced9ac2c68582d4e9d1c0af
-
SHA512
434a552c3dbdf7024f4a557ce9f01f755037aa303da03ed7752c9d1acd6c5fa050deef34983c7f491237a5c7adb3317db279b6e8e0bd3dab8bc0547dc031455e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4ggxVFzQEbsCzFQMpf7b8e1mAUi:noZ1L+EP8ggxVFzQEbsCzFQMpXz
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1