umbral | lol[.]exe | Triage

Sharing

General

Target

lol.exe
Size

4.1MB
MD5

967d3eaa117f7ff867a91febcc8d2928
SHA1

638872b00b1a3eed215e60e78c93b8b5599a5898
SHA256

21bd72f49e3a9bd1778fa174fdd0cde88a11ad8bf3cba985fe1367c7154a7abb
SHA512

f45a2bf03a9b83f9a1201eeac1f03b8610969a361ff7e38e4b37f93e80d18a1f33452677caf8546775ac08e1b493fa86ecc859c3cf75d3af1199470b39d0ef35
SSDEEP

49152:toInYnAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1M+etxQnVIqwlwHnEOGc:toIcAv1vYjWSMy7PlnVw1+6q1ONB

Score

10^/10

umbral njrat

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

sample family_umbral
Njrat family
njrat
Umbral family
umbral
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

sample autoit_exe
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

lol.exe

Files

lol.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\SerGreen\Source\Repos\Appacker\UnpackerWindowless\obj\Release\UnpackerWindowless.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 266KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ