Extracted

• • Target

    31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb

  • Size

    455KB

  • MD5

    2ef41c1b58df5c7204770c5b599f361a

  • SHA1

    6cb5318175b19409a511a28f8f79aba50d7bc8cc

  • SHA256

    31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb

  • SHA512

    6367d7aae6431976e70e01faa41b730a20e99336780b1a368797765e73557224f12e11c417f3fde89ceddf0afcdd05a2790ac77a6bbb406097fb069d8e084abb

  • SSDEEP

    6144:DFob20/TesMPbgBfVlWbKABdpFViyIoP/E0oys2oL62mGCsWRBmkfReNxa/YyCRZ:EqP0JVlWK4So5s2JvJD7fRb/9CRAV

  Score

  10^/10

  umbralstealerexecutionspyware

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2