umbral | hxxps://github[.]com/Umb3a1/Star-Image-Logger

Analysis

max time kernel
69s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Umb3a1/Star-Image-Logger

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1836-318-0x00000155F1BF0000-0x00000155F1C30000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Star-Image-Logger-main.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	firefox.exe
Token: SeDebugPrivilege	4228	firefox.exe
Token: SeDebugPrivilege	4228	firefox.exe
Token: SeDebugPrivilege	5116	Star IMG Logger.exe
Token: SeIncreaseQuotaPrivilege	2568	wmic.exe
Token: SeSecurityPrivilege	2568	wmic.exe
Token: SeTakeOwnershipPrivilege	2568	wmic.exe
Token: SeLoadDriverPrivilege	2568	wmic.exe
Token: SeSystemProfilePrivilege	2568	wmic.exe
Token: SeSystemtimePrivilege	2568	wmic.exe
Token: SeProfSingleProcessPrivilege	2568	wmic.exe
Token: SeIncBasePriorityPrivilege	2568	wmic.exe
Token: SeCreatePagefilePrivilege	2568	wmic.exe
Token: SeBackupPrivilege	2568	wmic.exe
Token: SeRestorePrivilege	2568	wmic.exe
Token: SeShutdownPrivilege	2568	wmic.exe
Token: SeDebugPrivilege	2568	wmic.exe
Token: SeSystemEnvironmentPrivilege	2568	wmic.exe
Token: SeRemoteShutdownPrivilege	2568	wmic.exe
Token: SeUndockPrivilege	2568	wmic.exe
Token: SeManageVolumePrivilege	2568	wmic.exe
Token: 33	2568	wmic.exe
Token: 34	2568	wmic.exe
Token: 35	2568	wmic.exe
Token: 36	2568	wmic.exe
Token: SeIncreaseQuotaPrivilege	2568	wmic.exe
Token: SeSecurityPrivilege	2568	wmic.exe
Token: SeTakeOwnershipPrivilege	2568	wmic.exe
Token: SeLoadDriverPrivilege	2568	wmic.exe
Token: SeSystemProfilePrivilege	2568	wmic.exe
Token: SeSystemtimePrivilege	2568	wmic.exe
Token: SeProfSingleProcessPrivilege	2568	wmic.exe
Token: SeIncBasePriorityPrivilege	2568	wmic.exe
Token: SeCreatePagefilePrivilege	2568	wmic.exe
Token: SeBackupPrivilege	2568	wmic.exe
Token: SeRestorePrivilege	2568	wmic.exe
Token: SeShutdownPrivilege	2568	wmic.exe
Token: SeDebugPrivilege	2568	wmic.exe
Token: SeSystemEnvironmentPrivilege	2568	wmic.exe
Token: SeRemoteShutdownPrivilege	2568	wmic.exe
Token: SeUndockPrivilege	2568	wmic.exe
Token: SeManageVolumePrivilege	2568	wmic.exe
Token: 33	2568	wmic.exe
Token: 34	2568	wmic.exe
Token: 35	2568	wmic.exe
Token: 36	2568	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4608 wrote to memory of 4228	4608	firefox.exe	82
PID 4228 wrote to memory of 4752	4228	firefox.exe	83
PID 4228 wrote to memory of 4752	4228	firefox.exe	83
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 3096	4228	firefox.exe	84
PID 4228 wrote to memory of 4920	4228	firefox.exe	85
PID 4228 wrote to memory of 4920	4228	firefox.exe	85
PID 4228 wrote to memory of 4920	4228	firefox.exe	85

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Umb3a1/Star-Image-Logger"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Umb3a1/Star-Image-Logger
  2⤵
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.0.1542566480\96663130" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bc12b79-f078-4d71-8e26-31a940f76c58} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 1976 2953b2d4e58 gpu
    3⤵
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.1.1532709241\1466349694" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f3c20b7-f259-4e3e-b849-a64fa867bbdc} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 2404 2952ea71658 socket
    3⤵
    PID:3096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.2.1857942399\1444006229" -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 21779 -prefMapSize 232645 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2e3ce0-1f4d-4ccb-96f6-b2de78242368} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 3348 2953f1dc558 tab
    3⤵
    PID:4920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.3.357343152\468827884" -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a439f1-40b0-432c-8777-c9321bb4ea25} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 3628 2953f5f8758 tab
    3⤵
    PID:464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.6.376445968\318956773" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b93a671f-791c-41e6-a40f-dc680f2b4464} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 5256 295416d1558 tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.5.1712083316\1176955554" -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15d2539a-702d-43aa-9d4f-6e1e6148851d} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4948 295416d0658 tab
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.4.1602447143\567082382" -childID 3 -isForBrowser -prefsHandle 4916 -prefMapHandle 4904 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f446ba0-af82-4777-8f7d-cd0ec83d0681} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4928 29540f19558 tab
    3⤵
    PID:3992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:460

C:\Users\Admin\Desktop\Star-Image-Logger-main\Star-Image-Logger-main\Star IMG Logger.exe
"C:\Users\Admin\Desktop\Star-Image-Logger-main\Star-Image-Logger-main\Star IMG Logger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2568

C:\Users\Admin\Desktop\Star-Image-Logger-main\Star-Image-Logger-main\Star IMG Logger.exe
"C:\Users\Admin\Desktop\Star-Image-Logger-main\Star-Image-Logger-main\Star IMG Logger.exe"
1⤵
PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Star IMG Logger.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
ade9e76422a798d86ba4bf5ba356dfb8

SHA1
ee6b1486abdcdc28054c113d9805d75d5291ef83

SHA256
5f9f60bf63e4b56d29ec9241cb70b22f31914cc59063a41c2f4f2ed44c8674f2

SHA512
1bb32a2fbef91857618393d9c60f825a6e30ee898455d77088fa521921f2a013bc54b17d94e44b2b6338e27188ed462b1968d11ecdfca728ee83637feb493ede

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
6KB

MD5
b7baf1dd36cfc101be29828348a8e200

SHA1
94effb0821c4273922de0b16c90134bcb4bd75a8

SHA256
d08ede745d55f772806f2150bcaeccc8abb0659728594cdf13324482e9e67ad7

SHA512
c4126e1f3b02286b41154987cb321d3154fe3e51a1610135ed38fe18fb27ad60fe914e80b024b8194e06056ec4b19639a5def6a53e25666faaed3b7466da3be1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

Filesize
6KB

MD5
fc46bfef75c9a87522b76470b39d4b9e

SHA1
128a78afe56f10b6ad4fc7693a24c158bfb98172

SHA256
ee9a4a3da1effa2fce8f97d8ff7016861a0b861d898703a3f1b94e1f8bac72c0

SHA512
d2fc6ffc247d749f338fe161a1cdadc08d76187753f1970b8068c0031548cff0abf8e0c47504d236fa62a18ced531a9e19b96799803abac54726e637994134b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

Filesize
6KB

MD5
ed2e0e1c6b7141263c0c4ba92cda430a

SHA1
372e20932ef75cce3079fa91b9cac85f329774f8

SHA256
679a28b999c3085cf773d6325db8e5f78eab9d0551442fd11b041457a9da3ed3

SHA512
95526f05eb07a73effd142a3607c034ecb9d2293b38fbd57e729dc6be0955fb93a53f2a51a2feeb4d25973f1631be38f6f7221a1aff489f8c0d067d1e07b1afc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b60c54beb6d77e80c16b38ed5ee9f124

SHA1
58db1b698dcf1a397a4a765b8f3a60e093abc25a

SHA256
e9baf0f252c0963a7fc41b7200c89e988d68fe240360916a58161289b75aeab4

SHA512
95dddc683c23b87b39c22a0bed1750d784011f844092728edcd656a1702c99ed2a9fbda01fbbe4509923ba6e95b3aaadd766f517fedc6b482bc06613bb1cb6aa

Download Submit
C:\Users\Admin\Downloads\Star-Image-Logger-main.qXoKxfqA.zip.part

Filesize
3.4MB

MD5
ddf42e862c74305372fd41526f55170d

SHA1
fba146b71dd5560b92c40fd49b6b0a4333e353dd

SHA256
b483e5063d599604fc89ab9f5cb6eeb249b9c9c56fca129bca1ac25690cbe41f

SHA512
8be607c87025b7dc3d82aa9b13f6e5dce9a77022500ec7ae3b064af2dae1f35b4885c1ffc5e1a74bc38a9bd75120bc4f608bf4cd0f38aa5d251b9e14579cd36a

Download Submit
memory/1836-318-0x00000155F1BF0000-0x00000155F1C30000-memory.dmp

Filesize
256KB

Download
memory/1836-320-0x00007FFA09340000-0x00007FFA09E01000-memory.dmp

Filesize
10.8MB

Download
memory/1836-325-0x00007FFA09340000-0x00007FFA09E01000-memory.dmp

Filesize
10.8MB

Download
memory/5116-321-0x000002A360330000-0x000002A360340000-memory.dmp

Filesize
64KB

Download
memory/5116-322-0x00007FFA09340000-0x00007FFA09E01000-memory.dmp

Filesize
10.8MB

Download
memory/5116-324-0x00007FFA09340000-0x00007FFA09E01000-memory.dmp

Filesize
10.8MB

Download