Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    609KB

  • MD5

    9893f79d958d0fdf80c2f87fa526696c

  • SHA1

    b5349594b66680de00dd1c64e8ad23f5b60bedec

  • SHA256

    6c727f906a78ce58fd0970cce1216eaafa833f12ee8f6da2d42839d5ef00fb87

  • SHA512

    e0eb174f7b0f8e83c9010836bba865cb2320d94c87939f9ec18a1f029bc5eb1baa8691d25c84ed9cf330c4d6f61e627fb2b01393934f38853f44eacea9110e9e

  • SSDEEP

    12288:EoZcL+EP8LhahecjfUn1gevPeVTv6iPVle8w15dQPvY:HI8dahecjfUn1gevPeV7s15uY

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Local\Temp\Java(TM) Platform SE binary.exe
      "C:\Users\Admin\AppData\Local\Temp\Java(TM) Platform SE binary.exe"
      2⤵
      • Executes dropped EXE
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Java(TM) Platform SE binary.exe
    Filesize

    193KB

    MD5

    c2407e584cbbf97d4045cd082bf4ac4a

    SHA1

    0d9e7a4650da2340d07c4503d83ec4b6f8ef4d6e

    SHA256

    4ac7646ca2e05c81682ccebd4b8e247e6e3eedc1b155126630042bea3b0ccaf4

    SHA512

    5106afa980aeadd0022d506b6517f01cc28e8eb4ec143ef88d2af404337355c9d5f6a874e1f8aad44e5ef43d272e60ab4ef9344c05f0907b57886d5154e87c59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Java(TM) Platform SE binary.exe
    Filesize

    281KB

    MD5

    64cc2eaa820f15b3256519307c30ff77

    SHA1

    95859ed6f20a89d2b657ec6df9d0f62a98296823

    SHA256

    b69391a94e356591689a6d0eb00c624c483ef7c8a01fffa1e5bdae337417cab2

    SHA512

    c57896d5ffafe8abddc712ae272320cce5d47d528ac9a903ac37d1bc8b68fb3f7080fdf8419f3e50a53aef918bcb63d064cd43ce990a760f6187571c38a6354b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Java(TM) Platform SE binary.exe
    Filesize

    107KB

    MD5

    00177854557fd4d1490a893e955d5f1e

    SHA1

    d7708136fed2feb37eb4cda968b4f85348523930

    SHA256

    ae6e65eef467214616edb517f6d0daefa9b00a15d32b6c424a1649480754dae4

    SHA512

    8cac45abbd9d501635b882619381a1e95912e07f92d54aa66dc8a5f713e4acea69f3ceba9240910cf251ce2354648a9383a13f49b5b97c714638bc7d66815670

    Download Submit

  • memory/680-11-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2016-12-0x0000000000A20000-0x0000000000A7E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2016-13-0x00007FFC77DC0000-0x00007FFC78881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2016-15-0x00007FFC77DC0000-0x00007FFC78881000-memory.dmp

    Filesize

    10.8MB

    Download