umbral | 4cbe7a16f2a8df8a51aa0f50f65d9d97195b254072589e87c54ba53e458c8a89 | Triage

Resubmissions

26-06-2023 18:25

230626-w2tznabc97 10

26-06-2023 18:24

230626-w17t5acb91 10

26-06-2023 18:22

230626-wz7gzabc88 10

Analysis

max time kernel
32s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
26-06-2023 18:24

Sharing

Report Analysis Logs

General

Target

testone.exe
Size

229KB
MD5

27eade2098a995bea21837cc28399e7e
SHA1

3100f2f77ca8fd8d6c3f6a55285650e0f9ffaffe
SHA256

4cbe7a16f2a8df8a51aa0f50f65d9d97195b254072589e87c54ba53e458c8a89
SHA512

3830c7b09d3c250d3a7faf6adce46fabb45dd4ca96ad4e647b7b3c51987d79282a10030b7363fac380de642ab1a1940767dc5ce23b7d92429e984d73f0ffb53f
SSDEEP

6144:9loZMXXU9Zx0kt8X0/PSCsMT9aY6ecjfU61gevPeDAb8e1m4i:foZDf0kkP6AY6ecjfU61gevPes6

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/836-54-0x0000000000170000-0x00000000001B0000-memory.dmp	family_umbral
behavioral1/memory/836-55-0x000000001B1F0000-0x000000001B270000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	testone.exe

C:\Users\Admin\AppData\Local\Temp\testone.exe
"C:\Users\Admin\AppData\Local\Temp\testone.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-54-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/836-55-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/836-56-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download