Overview

overview

10

Static

static

10

Omoforia.exe

windows7-x64

10

Omoforia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    70s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Omoforia.exe

  • Size

    216KB

  • MD5

    512441160e210a7696cc24bb5b07ebab

  • SHA1

    ce8d0012808448dc249b6376a715e16400b7ead4

  • SHA256

    319e8877d90fd746f2d47b0f713d1bd594c1b5973b4ffd8e03f881509964db5d

  • SHA512

    4a60c13bbdaf63b4dd64706d9278e6a3a4b59c43ec8482fbcdbd1075af355f34ea45e9b57f31718dd8c7f1f9328fa3cbf132e2080dc16a245335fb71c3952146

  • SSDEEP

    3072:JmpcjvqySgPAb+D9Cocawot18PeXdJBJg3plgsLSl8eN7s8m+XPcGTSYW:0cWoPAiRrt18aPJei8eNY8mWpS

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 59 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Omoforia.exe
    "C:\Users\Admin\AppData\Local\Temp\Omoforia.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2552
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1652

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1652-18-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1652-19-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1652-20-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1652-21-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1908-0-0x000007FEF5043000-0x000007FEF5044000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1908-1-0x0000000000FF0000-0x000000000102C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1908-2-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1908-17-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp
      Filesize

      9.9MB

      Download