umbral | df5d7a8f8a3f6b8435b740a0dbbba9f2e1dfe73c089d816ca3de51d8b83c9d28 | Triage

Analysis

max time kernel
12s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 08:20

Sharing

Report Analysis Logs

General

Target

executor.exe
Size

231KB
MD5

c44427a9d20943c67d642322fb04f3fc
SHA1

9594b8df83380984201a91990265a7e4a71a67dc
SHA256

df5d7a8f8a3f6b8435b740a0dbbba9f2e1dfe73c089d816ca3de51d8b83c9d28
SHA512

d05556225668c74d6217063dacbd1499e5d690c540f5ed75585104cfbbb76ce1fa0c9d68f2487ef713730f33758d2e007c5f4cce55744f9c519b83c2fc483b74
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4eRJa0fy8e1mSji:joZtL+EP8E4Fu

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3300-0-0x0000022FE1EB0000-0x0000022FE1EF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	executor.exe

C:\Users\Admin\AppData\Local\Temp\executor.exe
"C:\Users\Admin\AppData\Local\Temp\executor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3300-1-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp

Filesize
8KB

Download
memory/3300-0-0x0000022FE1EB0000-0x0000022FE1EF0000-memory.dmp

Filesize
256KB

Download
memory/3300-2-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp

Filesize
10.8MB

Download