umbral | 5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

Resubmissions

27/04/2024, 22:30 UTC

240427-2e6b3aac8y 10

27/04/2024, 22:14 UTC

240427-15m3qsaa31 10

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 22:14 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l0xmdpqk.ylw.bin.exe
Size

227KB
MD5

7f32dcbb00de079c31ff7895ae9c0560
SHA1

e80841a355b8dce9955b9bbba63f02a4ad31a836
SHA256

5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
SHA512

776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc
SSDEEP

6144:bloZM+9EB1/SqctonEPfCqAu0+prdmK13Up7a6rhgj8e1m5l:5oZQdSqcwvu0+prdmK13Up7a6rhQM

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1556-0-0x0000000001160000-0x00000000011A0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	l0xmdpqk.ylw.bin.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2880	1556	l0xmdpqk.ylw.bin.exe	28
PID 1556 wrote to memory of 2880	1556	l0xmdpqk.ylw.bin.exe	28
PID 1556 wrote to memory of 2880	1556	l0xmdpqk.ylw.bin.exe	28

C:\Users\Admin\AppData\Local\Temp\l0xmdpqk.ylw.bin.exe
"C:\Users\Admin\AppData\Local\Temp\l0xmdpqk.ylw.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

DNS

gstatic.com

l0xmdpqk.ylw.bin.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

216.58.201.99
GET

https://gstatic.com/generate_204

l0xmdpqk.ylw.bin.exe

Remote address:

216.58.201.99:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Sat, 27 Apr 2024 22:14:17 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

216.58.201.99:443

https://gstatic.com/generate_204

tls, http

l0xmdpqk.ylw.bin.exe

1.0kB
5.2kB
12
10

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204

8.8.8.8:53

gstatic.com

dns

l0xmdpqk.ylw.bin.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

216.58.201.99

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-0-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/1556-1-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/1556-2-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/1556-3-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.