umbral | addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb | Triage

Submit
Reports

Overview

overview

Static

static

1

BoostLoader.exe

windows7-x64

BoostLoader.exe

windows10-2004-x64

Sharing

General

Target

BoostLoader.exe
Size

51KB
Sample

240222-snk8tabe4x
MD5

57ea0794f42770a46a04654ba8182e94
SHA1

da89c0fba72bbc97070830e7c82eb5d756cd2870
SHA256

addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb
SHA512

8143f50f8c049c9c8c038d82ab22b102ce55f2902fdd7e8f0aa82072a56348efd89c675e35b43e634611174f69f0c3b6eb4647987c9e96f56c95a7ea042fe53d
SSDEEP

768:rmry/329e5ew0AsnmYlB7Q/80svMIBhBshszXHj91eL6pucVB+1P09z5:d/Lew0Ak7QbvssCze5Pcz5

Score

10^/10

umbral evasion stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

BoostLoader.exe

Resource

win7-20240221-en

umbral evasion stealer themida trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

BoostLoader.exe

Resource

win10v2004-20240221-en

umbral evasion stealer themida trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1209556025984811048/FntoxASlrfqyFVYWHJOR6g3gwuEED0AVfbHu2PW_kbbNMm_xDWYzkGLyUDSsvwmC1scU

Targets

- Target
  
  BoostLoader.exe
- Size
  
  51KB
- MD5
  
  57ea0794f42770a46a04654ba8182e94
- SHA1
  
  da89c0fba72bbc97070830e7c82eb5d756cd2870
- SHA256
  
  addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb
- SHA512
  
  8143f50f8c049c9c8c038d82ab22b102ce55f2902fdd7e8f0aa82072a56348efd89c675e35b43e634611174f69f0c3b6eb4647987c9e96f56c95a7ea042fe53d
- SSDEEP
  
  768:rmry/329e5ew0AsnmYlB7Q/80svMIBhBshszXHj91eL6pucVB+1P09z5:d/Lew0Ak7QbvssCze5Pcz5
Score

10^/10

umbral evasion stealer themida trojan
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

umbralevasionstealerthemidatrojan

behavioral2

umbralevasionstealerthemidatrojan

© 2018-2025

Terms | Privacy