umbral | a9e16fdb1ad53a73784a03803410b238e2de590eb1f7a1d6e4dfa0354ef99ca0 | Triage

Submit
Reports

Overview

overview

Static

static

nursultan.exe

windows7-x64

nursultan.exe

windows10-2004-x64

Sharing

General

Target

nursultan.exe
Size

231KB
Sample

240229-qlm9aaaf73
MD5

0a40e097ff34f2786e6a1b1c2695db2d
SHA1

7701f374e627f5624ee7b792c777d2b59b41ac20
SHA256

a9e16fdb1ad53a73784a03803410b238e2de590eb1f7a1d6e4dfa0354ef99ca0
SHA512

3ed97fbbd49460b582c51059b7e96535a951820179e89492f16668d176c8bb33ebaf8f4e056e5e909fcda74167dfa71cd8f83db840b10fb084019ae675982c47
SSDEEP

6144:xloZMArIkd8g+EtXHkv/iD44gTVBPUonRWvRsY94Fb8e1mFrQi:DoZHL+EP84gTVBPUonRWvRsY9sOJ

Score

10^/10

umbral spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

nursultan.exe

Resource

win7-20240221-en

umbral spyware stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

nursultan.exe

Resource

win10v2004-20240226-en

umbral spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1212013600261279754/pS2kUk8X8HLTwlZ_TrdPXO-susrMQC81SOpxO7zVm1bHHQsqYw40zPb6UlXkaCeSSy_l

Targets

- Target
  
  nursultan.exe
- Size
  
  231KB
- MD5
  
  0a40e097ff34f2786e6a1b1c2695db2d
- SHA1
  
  7701f374e627f5624ee7b792c777d2b59b41ac20
- SHA256
  
  a9e16fdb1ad53a73784a03803410b238e2de590eb1f7a1d6e4dfa0354ef99ca0
- SHA512
  
  3ed97fbbd49460b582c51059b7e96535a951820179e89492f16668d176c8bb33ebaf8f4e056e5e909fcda74167dfa71cd8f83db840b10fb084019ae675982c47
- SSDEEP
  
  6144:xloZMArIkd8g+EtXHkv/iD44gTVBPUonRWvRsY94Fb8e1mFrQi:DoZHL+EP84gTVBPUonRWvRsY9sOJ
Score

10^/10

umbral spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Drops file in Drivers directory
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralspywarestealer

behavioral2

umbralspywarestealer

© 2018-2025

Terms | Privacy