umbral | 2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db | Triage

Submit
Reports

Overview

overview

Static

static

2083f10b11...db.exe

windows7-x64

2083f10b11...db.exe

windows10-2004-x64

Sharing

General

Target

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
Size

106KB
Sample

240622-x258csvfrm
MD5

b06c811554508247282dc00b7a82b0ef
SHA1

1574070e54ae15a93b8a9ecd4a40a98cfb2f1a71
SHA256

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
SHA512

f9f1f1c75ac472e4167ecba2811eae3b66c7023bd9257c310e2469be8b796010cb0657244640e2525f46464cee894bef87d284fb02b5ee3439d3f23ab45a8c6e
SSDEEP

3072:GmqRL49gVu4HLM2daP8NJYHttq9iZLSHdUvynNe9nLsZ:GbeIM4/JY7q9SLS9Eynw9nL

Score

10^/10

umbral bootkit persistence stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe

Resource

win7-20240508-en

umbral bootkit persistence stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe

Resource

win10v2004-20240508-en

umbral bootkit persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1188379475021410374/Ssj5Ns9zjIl8_hao3wt15snRVqwtBYjDt8QLCtqPC4z6ltGHrqIRWciPemKhTAJ3Ea_2

Targets

- Target
  
  2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
- Size
  
  106KB
- MD5
  
  b06c811554508247282dc00b7a82b0ef
- SHA1
  
  1574070e54ae15a93b8a9ecd4a40a98cfb2f1a71
- SHA256
  
  2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
- SHA512
  
  f9f1f1c75ac472e4167ecba2811eae3b66c7023bd9257c310e2469be8b796010cb0657244640e2525f46464cee894bef87d284fb02b5ee3439d3f23ab45a8c6e
- SSDEEP
  
  3072:GmqRL49gVu4HLM2daP8NJYHttq9iZLSHdUvynNe9nLsZ:GbeIM4/JY7q9SLS9Eynw9nL
Score

10^/10

umbral bootkit persistence stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
- Detects executables Discord URL observed in first stage droppers
- Detects executables attemping to enumerate video devices using WMI
- Detects executables containing possible sandbox analysis VM names
- Detects executables containing possible sandbox analysis VM usernames
- Detects executables containing possible sandbox system UUIDs
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

umbralbootkitpersistencestealer

behavioral2

umbralbootkitpersistencestealer

© 2018-2024

Terms | Privacy