Extracted

• • Target

    Shelbag anylizer.exe

  • Size

    93KB

  • MD5

    1ead93be70fe9a5c810e495eb7a03fda

  • SHA1

    cc23e50346278e4e43cd555cef0f2717bb6b888a

  • SHA256

    bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601

  • SHA512

    76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb

  • SSDEEP

    768:NY3KkgyYtrF4M5Y2XaxKlwnvhDL95XpJCTXTfGBqXxrjEtCdnl2pi1Rz4Rk38sGt:NkZYZpXajhLff2TfRjEwzGi1dDUDRgS

  Score

  10^/10

  evasionumbralexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2