umbral | 12fa9aa3c10013a89dfc83a538dedaf7d6dec6cd126b3eefa77c816103b36d16

Resubmissions

26-09-2023 22:14

230926-15sm8afd22 10

26-09-2023 21:56

230926-1tqdqadg6x 10

Analysis

max time kernel
111s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2023 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

231KB
MD5

910a5896b1488769e91e985b0dbba73f
SHA1

2416ce9e4e5b8843520acc93b4ac4a157a29b261
SHA256

60edfe75e435ed4ce8c42bad52ba9986c1d5bb3359fad93da6987e2131124888
SHA512

bcc0fc3c9b6fd8eacfa62b83053e2637a8ec61520ce72795317f2719136f1883ad4b5cbd386a7c71064ae55958cadc7b03055dfefe2511b2b78843c32d18ee83
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4uzBdCg/7IiR0STTKBoXb8e1mJi:joZtL+EP8uzBdCg/7IiR0STTKgf

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2924-0-0x000001EB423A0000-0x000001EB423E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1572	wmic.exe
Token: SeSecurityPrivilege	1572	wmic.exe
Token: SeTakeOwnershipPrivilege	1572	wmic.exe
Token: SeLoadDriverPrivilege	1572	wmic.exe
Token: SeSystemProfilePrivilege	1572	wmic.exe
Token: SeSystemtimePrivilege	1572	wmic.exe
Token: SeProfSingleProcessPrivilege	1572	wmic.exe
Token: SeIncBasePriorityPrivilege	1572	wmic.exe
Token: SeCreatePagefilePrivilege	1572	wmic.exe
Token: SeBackupPrivilege	1572	wmic.exe
Token: SeRestorePrivilege	1572	wmic.exe
Token: SeShutdownPrivilege	1572	wmic.exe
Token: SeDebugPrivilege	1572	wmic.exe
Token: SeSystemEnvironmentPrivilege	1572	wmic.exe
Token: SeRemoteShutdownPrivilege	1572	wmic.exe
Token: SeUndockPrivilege	1572	wmic.exe
Token: SeManageVolumePrivilege	1572	wmic.exe
Token: 33	1572	wmic.exe
Token: 34	1572	wmic.exe
Token: 35	1572	wmic.exe
Token: 36	1572	wmic.exe
Token: SeIncreaseQuotaPrivilege	1572	wmic.exe
Token: SeSecurityPrivilege	1572	wmic.exe
Token: SeTakeOwnershipPrivilege	1572	wmic.exe
Token: SeLoadDriverPrivilege	1572	wmic.exe
Token: SeSystemProfilePrivilege	1572	wmic.exe
Token: SeSystemtimePrivilege	1572	wmic.exe
Token: SeProfSingleProcessPrivilege	1572	wmic.exe
Token: SeIncBasePriorityPrivilege	1572	wmic.exe
Token: SeCreatePagefilePrivilege	1572	wmic.exe
Token: SeBackupPrivilege	1572	wmic.exe
Token: SeRestorePrivilege	1572	wmic.exe
Token: SeShutdownPrivilege	1572	wmic.exe
Token: SeDebugPrivilege	1572	wmic.exe
Token: SeSystemEnvironmentPrivilege	1572	wmic.exe
Token: SeRemoteShutdownPrivilege	1572	wmic.exe
Token: SeUndockPrivilege	1572	wmic.exe
Token: SeManageVolumePrivilege	1572	wmic.exe
Token: 33	1572	wmic.exe
Token: 34	1572	wmic.exe
Token: 35	1572	wmic.exe
Token: 36	1572	wmic.exe
Token: SeDebugPrivilege	2564	Umbral.exe
Token: SeIncreaseQuotaPrivilege	696	wmic.exe
Token: SeSecurityPrivilege	696	wmic.exe
Token: SeTakeOwnershipPrivilege	696	wmic.exe
Token: SeLoadDriverPrivilege	696	wmic.exe
Token: SeSystemProfilePrivilege	696	wmic.exe
Token: SeSystemtimePrivilege	696	wmic.exe
Token: SeProfSingleProcessPrivilege	696	wmic.exe
Token: SeIncBasePriorityPrivilege	696	wmic.exe
Token: SeCreatePagefilePrivilege	696	wmic.exe
Token: SeBackupPrivilege	696	wmic.exe
Token: SeRestorePrivilege	696	wmic.exe
Token: SeShutdownPrivilege	696	wmic.exe
Token: SeDebugPrivilege	696	wmic.exe
Token: SeSystemEnvironmentPrivilege	696	wmic.exe
Token: SeRemoteShutdownPrivilege	696	wmic.exe
Token: SeUndockPrivilege	696	wmic.exe
Token: SeManageVolumePrivilege	696	wmic.exe
Token: 33	696	wmic.exe
Token: 34	696	wmic.exe
Token: 35	696	wmic.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1572	2924	Umbral.exe	85
PID 2924 wrote to memory of 1572	2924	Umbral.exe	85
PID 2564 wrote to memory of 696	2564	Umbral.exe	109
PID 2564 wrote to memory of 696	2564	Umbral.exe	109
PID 3896 wrote to memory of 4912	3896	Umbral.exe	112
PID 3896 wrote to memory of 4912	3896	Umbral.exe	112
PID 1436 wrote to memory of 2496	1436	Umbral - Copy (6).exe	115
PID 1436 wrote to memory of 2496	1436	Umbral - Copy (6).exe	115

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4232

C:\Users\Admin\Desktop\Umbral.exe
"C:\Users\Admin\Desktop\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:696

C:\Users\Admin\Desktop\Umbral.exe
"C:\Users\Admin\Desktop\Umbral.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4912

C:\Users\Admin\Desktop\Umbral - Copy (6).exe
"C:\Users\Admin\Desktop\Umbral - Copy (6).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
memory/1436-15-0x00007FFA55240000-0x00007FFA55D01000-memory.dmp

Filesize
10.8MB

Download
memory/1436-13-0x00000196319F0000-0x0000019631A00000-memory.dmp

Filesize
64KB

Download
memory/1436-12-0x00007FFA55240000-0x00007FFA55D01000-memory.dmp

Filesize
10.8MB

Download
memory/2564-8-0x00007FFA55120000-0x00007FFA55BE1000-memory.dmp

Filesize
10.8MB

Download
memory/2564-6-0x00007FFA55120000-0x00007FFA55BE1000-memory.dmp

Filesize
10.8MB

Download
memory/2564-7-0x0000022433C10000-0x0000022433C20000-memory.dmp

Filesize
64KB

Download
memory/2924-4-0x00007FFA57810000-0x00007FFA582D1000-memory.dmp

Filesize
10.8MB

Download
memory/2924-0-0x000001EB423A0000-0x000001EB423E0000-memory.dmp

Filesize
256KB

Download
memory/2924-2-0x000001EB43FC0000-0x000001EB43FD0000-memory.dmp

Filesize
64KB

Download
memory/2924-1-0x00007FFA57810000-0x00007FFA582D1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-9-0x00007FFA55240000-0x00007FFA55D01000-memory.dmp

Filesize
10.8MB

Download
memory/3896-10-0x0000021145930000-0x0000021145940000-memory.dmp

Filesize
64KB

Download
memory/3896-11-0x00007FFA55240000-0x00007FFA55D01000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads