umbral | e4310f76275772aa2a6d4aa393a18a07e1ddb91ef6f2018cba717ba3478af322

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 09:23

Target

incognito.exe
Size

229KB
MD5

a2e2e39f0f37c2bad057abd0d26da126
SHA1

644b65d488765656986b5f3607dac359e9955b27
SHA256

e4310f76275772aa2a6d4aa393a18a07e1ddb91ef6f2018cba717ba3478af322
SHA512

7be3fc42afae83211517c67cf9e1e87e463c5bffac89daac65f5b56353a29ab4a3a7573b6fa53c07357721ea980ce177c379dffe82967ba80ce8d0d298133e66
SSDEEP

6144:9loZM+rIkd8g+EtXHkv/iD46oX8syVtGDTOMdRYYhb8e1mjEi:foZtL+EP86oX8syVtGDTOMdRY4K

Score

10^/10

umbral stealer

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1920-1-0x0000000000DE0000-0x0000000000E20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	incognito.exe

C:\Users\Admin\AppData\Local\Temp\incognito.exe
"C:\Users\Admin\AppData\Local\Temp\incognito.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

memory/1920-0-0x000007FEF5043000-0x000007FEF5044000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000000DE0000-0x0000000000E20000-memory.dmp

Filesize
256KB

Download
memory/1920-2-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-3-0x000007FEF5043000-0x000007FEF5044000-memory.dmp

Filesize
4KB

Download
memory/1920-4-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download