umbral | lol[.]exe | Triage

Sharing

General

Target

lol.exe
Size

9.2MB
MD5

d34b17e6ea6ac4905395e642fccb4b41
SHA1

28077dd98405dc4d81ab23a5d4b8d3bd1641c1f7
SHA256

76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52
SHA512

db566fa061db5592329fe2719c4083c8c8d17f032f7f6a36c899c3c9aa02a4766edc4711547b0ad6bc8e6cb4d61d10a3961850fe9a8993bf5f4f2da617ee3909
SSDEEP

196608:tbVYKe7PTQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzuQ5EWheYkv8LlB23

Score

10^/10

umbral njrat

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

sample family_umbral
Njrat family
njrat
Umbral family
umbral
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

sample autoit_exe
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

lol.exe

Files

lol.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\SerGreen\Source\Repos\Appacker\UnpackerWindowless\obj\Release\UnpackerWindowless.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 266KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ