umbral | TEST[.]rar | Triage

Sharing

General

Target

TEST.rar
Size

80KB
MD5

b73a235392b360b22f6b244b0b0af97a
SHA1

524829a16a97ba862337b8ad7ec86707e231cfe9
SHA256

c2caa0fa4a868c131c9139635dd57f67ec1bba9283ab4b0a121fdff5a4a21082
SHA512

50122d08a5965c537ab7bf9bc8c5372ae48858459e47a652e04d98a3dc8c02f5664f759600e07b658de543696c0c06dbf0311d583168ae43427f67c057801c64
SSDEEP

1536:5PJo3xi6Dpg60TuRW3mF50HuCvsfqSYh35wHGIDO8sGAYNQ7OPqyMHC96:5C3s6DpF0Kg3mFWdcqhwHGUO0qIn96

Score

10^/10

umbral

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1248680916088524882/scOLRb8Ed3pZrVLq-wxEU3RMvJbAjEVyHOhqKEPHD6NL1h3WeGeXo53UPUp5psuRr4DL

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/TEST.exe	family_umbral

Umbral family
umbral
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

unpack001/TEST.exe

Files

TEST.rar
.rar

Password: 1212
TEST.exe
.exe windows:4 windows x86 arch:x86

Password: 1212

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ