Overview

overview

10

Static

static

3

immortal.bin.exe

windows7-x64

5

immortal.bin.exe

windows10-1703-x64

10

immortal.bin.exe

windows10-2004-x64

5

immortal.bin.exe

windows11-21h2-x64

5

Resubmissions

27-04-2024 22:30

240427-2faxjsac8z 10

27-04-2024 22:14

240427-15m3qshf69 10

Analysis

  • max time kernel
    195s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-04-2024 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    immortal.bin.exe

  • Size

    1.1MB

  • MD5

    9e511d399fbc2bf0c2d45302dc62be61

  • SHA1

    3100c1c0c5f98b1a7bccef0cdcfde6b34e38992b

  • SHA256

    ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8

  • SHA512

    7e4560bd6e76d181b47f44eca0a7195cb905e852ed2a94308cad57576a16c62335256978c73ddac275d736423c5c6a9a4eed648090847ee80e8183be77c04486

  • SSDEEP

    24576:fO29aTBMPYvJnXAvKhO7CMbNdCrty7ARVJ3g6cbhbZxvI:G29adQt3CrtWQcb3xv

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1230863499496783923/A02kDLEw6wbN8ixBXQtfYqly_yrSOMARWe64V1_a5LlUVAnlyyQj7Axye820VBzQV8HJ

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe
      "C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe
    Filesize

    227KB

    MD5

    7f32dcbb00de079c31ff7895ae9c0560

    SHA1

    e80841a355b8dce9955b9bbba63f02a4ad31a836

    SHA256

    5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

    SHA512

    776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc

    Download Submit

  • memory/3452-11-0x0000016D96F80000-0x0000016D96FC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3452-15-0x0000016DB1620000-0x0000016DB1630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-14-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3452-17-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4296-0-0x00000000000B0000-0x000000000041E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4296-1-0x00000000000B0000-0x000000000041E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4296-2-0x0000000073450000-0x0000000073B3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4296-3-0x00000000055A0000-0x00000000055B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4296-12-0x00000000000B0000-0x000000000041E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4296-13-0x0000000073450000-0x0000000073B3E000-memory.dmp

    Filesize

    6.9MB

    Download