umbral | a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c | Triage

Submit
Reports

Overview

overview

Static

static

3

Cheat_by_DioZ.exe

windows7-x64

Cheat_by_DioZ.exe

windows10-2004-x64

Sharing

General

Target

Cheat_by_DioZ.exe
Size

15.3MB
Sample

230821-sxf1fsfd7s
MD5

7e8d421582aacc3651a5f8ae391e4605
SHA1

0cff4ece5e75a5dc0c5e6076ad782ecf42ad7c16
SHA256

a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c
SHA512

7eb24ed0bddb9a681c231c92c50b52015b09466262dbdf1c1e47219f4fe76cff9adf65860d2c03cf61e8d4e7aa7ee46a7a81464773c56a81fee4a2ebec8192f1
SSDEEP

196608:0KMurhe046YIw782LRg5lA7B+juGhgdKDW/vDhoOocQ4cfVqwc7Mzg:0hurhf4Qm8MR8gwRh+n/lvoPDc70

Score

10^/10

umbral evasion stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Cheat_by_DioZ.exe

Resource

win7-20230712-en

umbral evasion stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Cheat_by_DioZ.exe

Resource

win10v2004-20230703-en

umbral evasion stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1143115606330200074/pyKgc8H0hMiolN7TnRv_a5UZxMEV9hMyMPcyMEE79xLCjkKRbFA2ce8qYJuxmfb_M-83

Targets

- Target
  
  Cheat_by_DioZ.exe
- Size
  
  15.3MB
- MD5
  
  7e8d421582aacc3651a5f8ae391e4605
- SHA1
  
  0cff4ece5e75a5dc0c5e6076ad782ecf42ad7c16
- SHA256
  
  a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c
- SHA512
  
  7eb24ed0bddb9a681c231c92c50b52015b09466262dbdf1c1e47219f4fe76cff9adf65860d2c03cf61e8d4e7aa7ee46a7a81464773c56a81fee4a2ebec8192f1
- SSDEEP
  
  196608:0KMurhe046YIw782LRg5lA7B+juGhgdKDW/vDhoOocQ4cfVqwc7Mzg:0hurhf4Qm8MR8gwRh+n/lvoPDc70
Score

10^/10

umbral evasion stealer
- Detect Umbral payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

umbralevasionstealer

behavioral2

umbralevasionstealer

© 2018-2025

Terms | Privacy