Behavioral task
behavioral1
Sample
Excess_nls.scr
Resource
win7-20240215-en
General
-
Target
Excess_nls.scr
-
Size
247KB
-
MD5
7435510d618cc836b23a1bb1791b67b2
-
SHA1
1428f359a72436dc70e288963d6fb04387e94bd4
-
SHA256
28b8e4f41d9f11d19a188dc903d3a8d37a643d5e3d61b260ddc01a4fd475b91d
-
SHA512
5ccc5f49c7752d5367b4e7e4a858ac462e06a7eed7231b8dd96c8c441290e99e71fda3eaffec808656e7a3030c9cf476fc144a102a4ef373d7f184d40fdcfd7b
-
SSDEEP
6144:bloZM+rIkd8g+EtXHkv/iD46UsziAfboMxUyzzqG2b8e1mWuFeiQfWsy:5oZtL+EP86UsziAfboMxUyzzq9futQf
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1238178545021223043/3ZwoReIQJSAQr16Af1BPQ_NiaK5GtGr7sxQn3Lgc4WKZeQw7NFQBrtoUb7cgT9HvE0v4
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule sample family_umbral -
Umbral family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource Excess_nls.scr
Files
-
Excess_nls.scr.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 228KB - Virtual size: 228KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 18KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ