Extracted

• • Target

    Umbral.exe

  • Size

    229KB

  • MD5

    33c44a7b9683ff02d2bfb98e93923823

  • SHA1

    67fff367c5878db5a31e705b9133e26e1f716ae5

  • SHA256

    3105cb04cffab27e70469349ad574d22f7ae349d16ad7f19fd357c7e19d76220

  • SHA512

    531781d1a6ddd2a5ffcb4888155df68079ebc9e7ee20860902f7aa51126e77c97575f5ffbd88a21d2899313232b703cc926029dff2a7d7fa2b2739d51665158a

  • SSDEEP

    6144:9loZM+rIkd8g+EtXHkv/iD4XPiTEKtFusr20VJgkCb8e1m+i:foZtL+EP8XPiTEKtFusr20VJgzQ

  Score

  10^/10

  umbralexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1