Analysis

  • max time kernel
    491s
  • max time network
    495s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2023 09:47

General

  • Target

    Umbral.exe

  • Size

    214KB

  • MD5

    3c8afbf0e5a3922c5947ad31114d684c

  • SHA1

    ad321d5e7a381b74f92b8417249b80edebd2830d

  • SHA256

    ab0377fa096635ef253a94df3982ce2d361413428cba8fe59b4ba3f10101f44a

  • SHA512

    76a47a3113a69f8b09b6d4dae649e2025a9b3cb58c5803630d85123ccf97d2c30cd5a9160df2d77e0ec5e6fac81c2ab06eb0c259033c98b53f1bf1b3aa3509ae

  • SSDEEP

    3072:iXoAc90eBB8Dp4Dbd95jaP6g81D2LpMYXol9rFl88e9Jls5T33OG3z:QclK25lgH78e9JSp3OG

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Program crash 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
      PID:4916
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4916 -s 896
        2⤵
        • Program crash
        PID:648
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 412 -p 4916 -ip 4916
      1⤵
        PID:2928

      Network

      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        8.3.197.209.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.3.197.209.in-addr.arpa
        IN PTR
        Response
        8.3.197.209.in-addr.arpa
        IN PTR
        vip0x008map2sslhwcdnnet
      • flag-us
        DNS
        134.121.24.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.121.24.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        45.8.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        45.8.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        90.65.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        90.65.42.20.in-addr.arpa
        IN PTR
        Response
      • 2.18.121.83:80
        322 B
        7
      • 20.189.173.14:443
        322 B
        7
      • 178.79.208.1:80
        322 B
        7
      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        8.3.197.209.in-addr.arpa
        dns
        70 B
        111 B
        1
        1

        DNS Request

        8.3.197.209.in-addr.arpa

      • 8.8.8.8:53
        134.121.24.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        134.121.24.20.in-addr.arpa

      • 8.8.8.8:53
        45.8.109.52.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        45.8.109.52.in-addr.arpa

      • 8.8.8.8:53
        90.65.42.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        90.65.42.20.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4916-133-0x000001E2381A0000-0x000001E2381DC000-memory.dmp

        Filesize

        240KB

      • memory/4916-134-0x000001E239FB0000-0x000001E239FC0000-memory.dmp

        Filesize

        64KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.