umbral | lol[.]exe | Triage

Sharing

General

Target

lol.exe
Size

4.3MB
MD5

db328f188ed341579a63b66c109670a1
SHA1

3ac3932b8b1696967e9a75da7f3b1cfcb2b22df5
SHA256

2cdb40eac305ccd9d25319aab18d9af4f1be4068ab65dd5f18ba8841c71a9464
SHA512

53e3c175ad68c66d9426e03bdb094ceb8febd89eae89b3b6f7f635efc78119f70723f08b30ee0752cb8ac33fba174d0efe46427f508906865eab86486366a59a
SSDEEP

49152:WoGapAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1MTetxQnVIqwlwHnEOGc:WoGapAv1vYjWSMy7PlnVw1/6q1ONB

Score

10^/10

umbral njrat

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
sample	family_umbral

Njrat family
njrat
Umbral family
umbral

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
sample	autoit_exe

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
lol.exe

Files

lol.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\SerGreen\Source\Repos\Appacker\UnpackerWindowless\obj\Release\UnpackerWindowless.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 552KB - Virtual size: 551KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ