umbral | e5da8ebc635776269ddceed41b6b6c0860071dafbe121b3fa17e63d01effd26c

General

Target

Umbral.exe
Size

231KB
MD5

e9e39a33854ca8af45f6048dd49f265b
SHA1

d19011ba34adf3135335aa9839d24e1b5c5dde71
SHA256

e5da8ebc635776269ddceed41b6b6c0860071dafbe121b3fa17e63d01effd26c
SHA512

703fdc9b9d086329a7273138920904fa0bf3d9917c0db74fcba1853bf1ecd42fd3144725238104e98ebac95f31da5d38551b3f97fb6c72ffdd0c60dbdc4d35cf
SSDEEP

6144:YOSAnvuqXLUirFMWyW1bYcUNSzNc0jqatc2J8e1mvSTU:vDqyFMWyW1bYcUNSzNc0jqIj2T

Score

10^/10

umbral execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-1-0x0000000000920000-0x0000000000960000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2036 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 discord.com
7 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

1664 wmic.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2036 powershell.exe
2908 powershell.exe
2888 powershell.exe

pid	process
2036	powershell.exe

flow	ioc
6	discord.com
7	discord.com

flow	ioc
4	ip-api.com

pid	process
1664	wmic.exe

pid	process
2036	powershell.exe
2908	powershell.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Umbral.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2204	Umbral.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeIncreaseQuotaPrivilege	1524	wmic.exe
Token: SeSecurityPrivilege	1524	wmic.exe
Token: SeTakeOwnershipPrivilege	1524	wmic.exe
Token: SeLoadDriverPrivilege	1524	wmic.exe
Token: SeSystemProfilePrivilege	1524	wmic.exe
Token: SeSystemtimePrivilege	1524	wmic.exe
Token: SeProfSingleProcessPrivilege	1524	wmic.exe
Token: SeIncBasePriorityPrivilege	1524	wmic.exe
Token: SeCreatePagefilePrivilege	1524	wmic.exe
Token: SeBackupPrivilege	1524	wmic.exe
Token: SeRestorePrivilege	1524	wmic.exe
Token: SeShutdownPrivilege	1524	wmic.exe
Token: SeDebugPrivilege	1524	wmic.exe
Token: SeSystemEnvironmentPrivilege	1524	wmic.exe
Token: SeRemoteShutdownPrivilege	1524	wmic.exe
Token: SeUndockPrivilege	1524	wmic.exe
Token: SeManageVolumePrivilege	1524	wmic.exe
Token: 33	1524	wmic.exe
Token: 34	1524	wmic.exe
Token: 35	1524	wmic.exe
Token: SeIncreaseQuotaPrivilege	1524	wmic.exe
Token: SeSecurityPrivilege	1524	wmic.exe
Token: SeTakeOwnershipPrivilege	1524	wmic.exe
Token: SeLoadDriverPrivilege	1524	wmic.exe
Token: SeSystemProfilePrivilege	1524	wmic.exe
Token: SeSystemtimePrivilege	1524	wmic.exe
Token: SeProfSingleProcessPrivilege	1524	wmic.exe
Token: SeIncBasePriorityPrivilege	1524	wmic.exe
Token: SeCreatePagefilePrivilege	1524	wmic.exe
Token: SeBackupPrivilege	1524	wmic.exe
Token: SeRestorePrivilege	1524	wmic.exe
Token: SeShutdownPrivilege	1524	wmic.exe
Token: SeDebugPrivilege	1524	wmic.exe
Token: SeSystemEnvironmentPrivilege	1524	wmic.exe
Token: SeRemoteShutdownPrivilege	1524	wmic.exe
Token: SeUndockPrivilege	1524	wmic.exe
Token: SeManageVolumePrivilege	1524	wmic.exe
Token: 33	1524	wmic.exe
Token: 34	1524	wmic.exe
Token: 35	1524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2396	wmic.exe
Token: SeSecurityPrivilege	2396	wmic.exe
Token: SeTakeOwnershipPrivilege	2396	wmic.exe
Token: SeLoadDriverPrivilege	2396	wmic.exe
Token: SeSystemProfilePrivilege	2396	wmic.exe
Token: SeSystemtimePrivilege	2396	wmic.exe
Token: SeProfSingleProcessPrivilege	2396	wmic.exe
Token: SeIncBasePriorityPrivilege	2396	wmic.exe
Token: SeCreatePagefilePrivilege	2396	wmic.exe
Token: SeBackupPrivilege	2396	wmic.exe
Token: SeRestorePrivilege	2396	wmic.exe
Token: SeShutdownPrivilege	2396	wmic.exe
Token: SeDebugPrivilege	2396	wmic.exe
Token: SeSystemEnvironmentPrivilege	2396	wmic.exe
Token: SeRemoteShutdownPrivilege	2396	wmic.exe
Token: SeUndockPrivilege	2396	wmic.exe
Token: SeManageVolumePrivilege	2396	wmic.exe
Token: 33	2396	wmic.exe
Token: 34	2396	wmic.exe
Token: 35	2396	wmic.exe
Token: SeIncreaseQuotaPrivilege	2396	wmic.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Umbral.exe

description	pid	process	target process
PID 2204 wrote to memory of 2036	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2036	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2036	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2908	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2908	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2908	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 1524	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1524	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1524	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 2396	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 2396	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 2396	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1748	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1748	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1748	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 2888	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2888	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 2888	2204	Umbral.exe	powershell.exe
PID 2204 wrote to memory of 1664	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1664	2204	Umbral.exe	wmic.exe
PID 2204 wrote to memory of 1664	2204	Umbral.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
2⤵
- Detects videocard installed
PID:1664

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40d4830f6bb9269550e23b7be4072d10

SHA1
e9286b6613a76e9c5dc671bb33fa23f616f9f866

SHA256
1416aa7b2f0077c8e6fde101665b85fe813f0768ae86dc5ec701fa2347684b3d

SHA512
d1b170e8fc836830513ec35e5d1c95e885cfab32f6025424b36041d0a997218494b92bb543d8fdb8fbd8d0ffb19d02d52cc460d548d07520d834e037a87d00e5

Download Submit
memory/2036-12-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-13-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-7-0x000007FEEDC6E000-0x000007FEEDC6F000-memory.dmp

Filesize
4KB

Download
memory/2036-8-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2036-9-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2036-10-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-11-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/2204-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2204-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2204-1-0x0000000000920000-0x0000000000960000-memory.dmp

Filesize
256KB

Download
memory/2204-33-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2204-34-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-29-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2908-19-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2908-20-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads