umbral | lol[.]exe | Triage

Sharing

General

Target

lol.exe
Size

3.6MB
MD5

20bed1337f3a4fac4127076ad1a1fa67
SHA1

fe648d3c6f275b81080d1f30068f423cdb4a8a7a
SHA256

0e4554928c58499fee3ecbf94846ef961957ed91a0d18c675d73dad6c9cb3de6
SHA512

9da7adc1d495716ce6e1d5cfd78401fcafe32e92f59f377b4bd4c89c2f6d2754b9320d2ab59e48a02ed30f4ee65e7bf5d084d33d673a08e8c1b4a84e0716dd2b
SSDEEP

49152:WoGapAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1MhGc:WoGapAv1vYjWSMy7PlnVw1sB

Score

10^/10

umbral njrat

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
sample	family_umbral

Njrat family
njrat
Umbral family
umbral

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
sample	autoit_exe

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
lol.exe

Files

lol.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\SerGreen\Source\Repos\Appacker\UnpackerWindowless\obj\Release\UnpackerWindowless.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 552KB - Virtual size: 551KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ