umbral | ff56db9447153d81e78e46beb2ee25aca7ff02bab23be39bb24c8ee4d93021e3 | Triage

Analysis

max time kernel
139s
max time network
141s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 00:44

Sharing

Report Analysis Logs

General

Target

rc7.exe
Size

240KB
MD5

0db546c07a75eaa50baff55111041731
SHA1

afea857574fca99f0073bc30edcb991324ba16c7
SHA256

ff56db9447153d81e78e46beb2ee25aca7ff02bab23be39bb24c8ee4d93021e3
SHA512

3d901cc503eba613fd124bb19a4962644493b8d327cd37c064fbaea526b9ec0c55000e945cceb602d17eb9f6b4474046cb871a9d2384f2b319adbfb71928f999
SSDEEP

6144:DloZM+rIkd8g+EtXHkv/iD4lpy4AmB5KP/Cwhl0Wzb8e1m1ZiX:hoZtL+EP8lpy4AmB5KP/Cwhl0caA

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/3060-54-0x0000000000950000-0x0000000000992000-memory.dmp	family_umbral
behavioral1/memory/3060-55-0x000000001AF50000-0x000000001AFD0000-memory.dmp	family_umbral
behavioral1/memory/3060-56-0x000000001AF50000-0x000000001AFD0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	rc7.exe

C:\Users\Admin\AppData\Local\Temp\rc7.exe
"C:\Users\Admin\AppData\Local\Temp\rc7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3060-54-0x0000000000950000-0x0000000000992000-memory.dmp

Filesize
264KB

Download
memory/3060-55-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/3060-56-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download