General
-
Target
MIDNIGHT (infected).7z
-
Size
69KB
-
Sample
250414-jwzazatxbv
-
MD5
5e87598c6989443745c8ab6d757a4992
-
SHA1
8cc14bf8392f24161206ad7b38ff1e2bde3c2508
-
SHA256
1ea08a2e62e39d7655ae293be7cf5e8853af36797b79cabf16c4d2ad8b42dfff
-
SHA512
67f3c642c94070dd85206f8da0838b8783ea22e8f738b8f2ed5d34255b705fa8524fe36fe8491d9526417993446f4925fa111014e8be520ae63900d2ee870681
-
SSDEEP
1536:e4ztZSM92BN/nXRN7E0wPGNWnlCC/0ivhSOE3A0IEcHiaE:eie/nBG0GnlCC/0ahZTEcG
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1352594784845561876/OBjjg-B1YGUG7DbRdxf55rQ9hCptHXixTTsmXYF45oSs9TiRAhvR-81UqTbA-O5PEoFW
Targets
-
-
Target
MIDNIGHT.exe
-
Size
230KB
-
MD5
7b96b2b4d1a942f2b3cb34678bef7a81
-
SHA1
ce236036608b846f9efb0892684f793dfd6eaea7
-
SHA256
5971cfc5a8c3803c278136912b255f50c29ed4ab30e5173d723d837deffacf5b
-
SHA512
28508d5504743721dcf82b5c6771037d1dc7140ddd8de079004a1c55f2a7ae3d2ebc92c40647387819a51f3c10f0e33a543e1e9e5248ec1282423a3e03553c1b
-
SSDEEP
6144:eloZM9rIkd8g+EtXHkv/iD4DSB2zZqStoY5rWWDJ2b8e1mYxi:IoZmL+EP8DSB2zZqStoY5rWWDkM
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1