Extracted

• • Target

    exloader.exe

  • Size

    374KB

  • MD5

    5f5c62095352d43aa3e0c44e523de441

  • SHA1

    ebc3afb594a29bede8361b09de504d35dd6f082a

  • SHA256

    7165426a7c1588e66f85f527eb7f8a78523d470a2b5b433239dd6806b4169d3d

  • SHA512

    e920f6a28dce9c73f3906068aebd5d772a2ff600842d798a6f573a13f3b079b0dbcf5c14020c1e0ad0f589c9466699585b3ee55108b7ffa771c23f85251928d1

  • SSDEEP

    6144:yzieeedDj8F69uBDbkkL2b96+9I3zyGaqI8ZexY1rnPAoViXbaGJEC6:9LedDCVDbkkCb96MGa9BxY1TfASC6

  Score

  10^/10

  umbralbootkitexecutionpersistencespywarestealer

  • Detect Umbral payload

  • Modifies WinLogon for persistence

    persistence

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies AppInit DLL entries

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1