Extracted

• • Target

    bdbc624e4c40d85f3927d8dc261ee069982728471bde7a245504c3e903f1234e

  • Size

    234KB

  • MD5

    65e7b5e4dd86e66cddd279dced3c31e5

  • SHA1

    5b1836bd0519a866848d5867b42c9182066109bf

  • SHA256

    bdbc624e4c40d85f3927d8dc261ee069982728471bde7a245504c3e903f1234e

  • SHA512

    ccb978eddac4b06c992db66db63e08964f94181fb068c76281d5c6e13e69b85723a89780110f3a5fb7570a79ca24dff8d78270f13f1faa419a98715c1fbd3f14

  • SSDEEP

    6144:tloZM9rIkd8g+EtXHkv/iD4WeANbYMTiqL9Y0hnT+Y8e1mki:voZOL+EP8WeANbYMTiqL9Y0hFI

  Score

  10^/10

  umbralexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Detects executables attemping to enumerate video devices using WMI

  • Detects executables containing possible sandbox analysis VM names

  • Detects executables containing possible sandbox analysis VM usernames

  • Detects executables containing possible sandbox system UUIDs

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2