Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Umbral.exe

windows7-x64

10

Umbral.exe

windows10-1703-x64

10

Umbral.exe

windows10-2004-x64

10

Umbral.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    14s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/02/2024, 10:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.exe

  • Size

    231KB

  • MD5

    2bd5664afed4d5821041e61b19f55a30

  • SHA1

    8d0f1ea431c0e00b39898a05f4ae37ac55800703

  • SHA256

    5e0dce9978369a90f9380c4630f79b2801dd0251f699bee7d7b85f43c51f027e

  • SHA512

    991066a886a2fd36246d1fe88a7c62cb6672a7c8821c94a4b1c8df650968a39aa0f1519451d569b9b478a30cd3465fda32da69816b5ce86bd95ccd9a7d781fe7

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4+B/RkqNlOcLWU1pAN8b8e1mKi:joZtL+EP8+B/RkqNlOcLWU1pAa4

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1784

Network

  • flag-us
    DNS
    gstatic.com
    Umbral.exe
    Remote address:
    8.8.8.8:53
    Request
    gstatic.com
    IN A
    Response
    gstatic.com
    IN A
    142.250.200.35
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Umbral.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    35.200.250.142.in-addr.arpa
    Umbral.exe
    Remote address:
    8.8.8.8:53
    Request
    35.200.250.142.in-addr.arpa
    IN PTR
    Response
    35.200.250.142.in-addr.arpa
    IN PTR
    lhr48s30-in-f31e100net
  • 142.250.200.35:443
    gstatic.com
    tls
    Umbral.exe
    803 B
     5.4kB
     8
    8
  • 8.8.8.8:53
    gstatic.com
    dns
    Umbral.exe
    196 B
     274 B
     3
    3

    DNS Request

    gstatic.com

    DNS Response

    142.250.200.35

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    35.200.250.142.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2792-0-0x00000148FBCE0000-0x00000148FBD20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2792-1-0x00007FF97E8A0000-0x00007FF97F362000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2792-2-0x00000148FE390000-0x00000148FE3A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-4-0x00007FF97E8A0000-0x00007FF97F362000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.