General
-
Target
free fn.exe
-
Size
235KB
-
MD5
6ae5b948985503861d3bfe49fc7a48e9
-
SHA1
8cd674feafe41aa3d8da793759f57183c0b7ec11
-
SHA256
546ef858612df99867cab116a37661becc83704ebcc969cbfcaca399b6f129d5
-
SHA512
8cf2cf52b456ef9ed158329afb1981b2596a1d75496221bfcf0590450cb375cd13b4e4676f15204e80c980d31fdb6738bba0a92d8360fca789cd244f3882b05d
-
SSDEEP
6144:rloZM+rIkd8g+EtXHkv/iD4OAZaT5KyNC4ZL22jCkb8e1mXinkl:poZtL+EP8OAZaT5KyNC4ZL22jzFnA
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1236040747610804225/XO1huExy1hLh6aVEqdRIaGHhxW1eItCY9H6J7E6KgaMgVX3VzweMTKWtBc1371SjLsXR
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule sample family_umbral -
Umbral family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource free fn.exe
Files
-
free fn.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 228KB - Virtual size: 227KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 6KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ