umbral | lol[.]exe | Triage

Sharing

General

Target

lol.exe
Size

9.2MB
MD5

93296816398ac7ff5fc9d91f8d2765b2
SHA1

f5817b3d34c22d0f847028797db143d75f592536
SHA256

1d84ff128228995c275b3e6c05cd19e4e46fcb7574cbd7fb3934abb3df3d1129
SHA512

fef4af08ce771ffad5eb500813052b93ff3c4c71711c03e9c9314fd16212b89fa14f77ca9f648c57617600c4fb932ebb7dd5bf97685e480106f79c98ac15885c
SSDEEP

196608:tbVYKe7PFQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzu25EWheYkv8LlB23

Score

10^/10

umbral njrat

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

sample family_umbral
Njrat family
njrat
Umbral family
umbral
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

sample autoit_exe
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

lol.exe

Files

lol.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\SerGreen\Source\Repos\Appacker\UnpackerWindowless\obj\Release\UnpackerWindowless.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 266KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ