umbral | lol[.]exe | Triage

Sharing

General

Target

lol.exe
Size

4.4MB
MD5

97d63efe8aedbed0c9145d6419142e8a
SHA1

6eb1d43ab5a57f1399ddbf620e77951fe78e2b6f
SHA256

5a96cf05d1e13547ba2459f23d22231242c11eef2ed6872c31265c23805c9024
SHA512

f5b6103de30fe4f24ddca40d10a54b06588b7228104407a1e249c0730de5a5809ca63245d31dcb2e9e71943081be064b1ff08f671a5eb46e7da34b2a294467fe
SSDEEP

49152:WoGapAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1MUetxQnVIqwlwHnEOGc:WoGapAv1vYjWSMy7PlnVw1I6q1ONB

Score

10^/10

umbral njrat

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

sample family_umbral
Njrat family
njrat
Umbral family
umbral
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

sample autoit_exe
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

lol.exe

Files

lol.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\SerGreen\Source\Repos\Appacker\UnpackerWindowless\obj\Release\UnpackerWindowless.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 552KB - Virtual size: 551KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ