umbral | 499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978

Analysis

max time kernel
131s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/04/2024, 16:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClientBetaNew.exe
Size

229KB
MD5

e7fca17393a9f4cb9ccb2f65fc2bb214
SHA1

cef26fa30e3f68d85ab923beecc0cd0dbfa2a720
SHA256

499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978
SHA512

303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a
SSDEEP

6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	ClientBetaNew.exe
Token: SeIncreaseQuotaPrivilege	3940	wmic.exe
Token: SeSecurityPrivilege	3940	wmic.exe
Token: SeTakeOwnershipPrivilege	3940	wmic.exe
Token: SeLoadDriverPrivilege	3940	wmic.exe
Token: SeSystemProfilePrivilege	3940	wmic.exe
Token: SeSystemtimePrivilege	3940	wmic.exe
Token: SeProfSingleProcessPrivilege	3940	wmic.exe
Token: SeIncBasePriorityPrivilege	3940	wmic.exe
Token: SeCreatePagefilePrivilege	3940	wmic.exe
Token: SeBackupPrivilege	3940	wmic.exe
Token: SeRestorePrivilege	3940	wmic.exe
Token: SeShutdownPrivilege	3940	wmic.exe
Token: SeDebugPrivilege	3940	wmic.exe
Token: SeSystemEnvironmentPrivilege	3940	wmic.exe
Token: SeRemoteShutdownPrivilege	3940	wmic.exe
Token: SeUndockPrivilege	3940	wmic.exe
Token: SeManageVolumePrivilege	3940	wmic.exe
Token: 33	3940	wmic.exe
Token: 34	3940	wmic.exe
Token: 35	3940	wmic.exe
Token: 36	3940	wmic.exe
Token: SeIncreaseQuotaPrivilege	3940	wmic.exe
Token: SeSecurityPrivilege	3940	wmic.exe
Token: SeTakeOwnershipPrivilege	3940	wmic.exe
Token: SeLoadDriverPrivilege	3940	wmic.exe
Token: SeSystemProfilePrivilege	3940	wmic.exe
Token: SeSystemtimePrivilege	3940	wmic.exe
Token: SeProfSingleProcessPrivilege	3940	wmic.exe
Token: SeIncBasePriorityPrivilege	3940	wmic.exe
Token: SeCreatePagefilePrivilege	3940	wmic.exe
Token: SeBackupPrivilege	3940	wmic.exe
Token: SeRestorePrivilege	3940	wmic.exe
Token: SeShutdownPrivilege	3940	wmic.exe
Token: SeDebugPrivilege	3940	wmic.exe
Token: SeSystemEnvironmentPrivilege	3940	wmic.exe
Token: SeRemoteShutdownPrivilege	3940	wmic.exe
Token: SeUndockPrivilege	3940	wmic.exe
Token: SeManageVolumePrivilege	3940	wmic.exe
Token: 33	3940	wmic.exe
Token: 34	3940	wmic.exe
Token: 35	3940	wmic.exe
Token: 36	3940	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3940	1468	ClientBetaNew.exe	72
PID 1468 wrote to memory of 3940	1468	ClientBetaNew.exe	72

C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe
"C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3940

Network

DNS

gstatic.com

ClientBetaNew.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

142.250.200.35
GET

https://gstatic.com/generate_204

ClientBetaNew.exe

Remote address:

142.250.200.35:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 15 Apr 2024 16:52:15 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

35.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.200.250.142.in-addr.arpa

IN PTR

Response

35.200.250.142.in-addr.arpa

IN PTR

lhr48s30-in-f31e100net
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

9.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.173.189.20.in-addr.arpa

IN PTR

Response

142.250.200.35:443

https://gstatic.com/generate_204

tls, http

ClientBetaNew.exe

810 B
5.2kB
10
10

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204

8.8.8.8:53

gstatic.com

dns

ClientBetaNew.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

142.250.200.35
8.8.8.8:53

35.200.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

35.200.250.142.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

9.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

9.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmp

Filesize
256KB

Download
memory/1468-1-0x00007FFFC0F50000-0x00007FFFC193C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-2-0x0000024DF7BA0000-0x0000024DF7BB0000-memory.dmp

Filesize
64KB

Download
memory/1468-4-0x00007FFFC0F50000-0x00007FFFC193C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.