Extracted

• • Target

    3e9e513d3a5d3358b7a19dbc60b1bb15974f2e83436d9fc54e605b7dfc95836b

  • Size

    229KB

  • MD5

    aaa6c20771fef47391be5c85469eb409

  • SHA1

    f0d9249589fc1ae5b80a34dd11a6459ec8b90b14

  • SHA256

    3e9e513d3a5d3358b7a19dbc60b1bb15974f2e83436d9fc54e605b7dfc95836b

  • SHA512

    3689a4a865cdc054706088a0bd77c92990d218e15de5b9fb34d4abda0f05e6a22192e88d1f2d4dc5b191d7e2d4a92f369177e9e1e61c49f43a4401a97ad0f962

  • SSDEEP

    6144:tloZM+rIkd8g+EtXHkv/iD4RRc8EKtFuZr20VJgr9b8e1mTi:voZtL+EP8RRc8EKtFuZr20VJgZ5

  Score

  10^/10

  umbralstealerexecutionspyware

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Detects executables attemping to enumerate video devices using WMI

  • Detects executables containing possible sandbox analysis VM names

  • Detects executables containing possible sandbox analysis VM usernames

  • Detects executables containing possible sandbox system UUIDs

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2