umbral | 84b074f1eaf50dab59347bf6122b411dbeb5c4952ffe30776cf1a88881e45436

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rbxfpsunlocker.exe
Size

234KB
MD5

18b7413ddfaa6df7f7405f642c10a287
SHA1

e64389a600d859dd07e0fdb2df12a7d9b4d09581
SHA256

84b074f1eaf50dab59347bf6122b411dbeb5c4952ffe30776cf1a88881e45436
SHA512

94c78d9bb0b2044675885eb02ee698c6215d90d4dce3fea1ed350977b712c5b9315f596260d9752855d8c9cdbd531bea9999311bc9527158347aebbf367864f9
SSDEEP

6144:DloZMLrIkd8g+EtXHkv/iD4YyO2un9GuBQ0dP6aPZ/b8e1mIRtVi:hoZ0L+EP8YyO2un9GuBQ0dP6aP1tf8

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000DE0000-0x0000000000E20000-memory.dmp	family_umbral
behavioral1/memory/2092-2-0x000000001B130000-0x000000001B1B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	rbxfpsunlocker.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2620	2092	rbxfpsunlocker.exe	27
PID 2092 wrote to memory of 2620	2092	rbxfpsunlocker.exe	27
PID 2092 wrote to memory of 2620	2092	rbxfpsunlocker.exe	27

C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe
"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000000DE0000-0x0000000000E20000-memory.dmp

Filesize
256KB

Download
memory/2092-1-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2092-2-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/2092-3-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads