Extracted

• • Target

    Umbral.exe

  • Size

    227KB

  • MD5

    9373f372b640980c2c21635ea1d0e198

  • SHA1

    4a839ba396c68479c9b78cbfd1ea9005c9c1840e

  • SHA256

    1d4614f2beab6bab69464e7cf41e34db255e42a9b8d754d598faa0b9ec4d7b99

  • SHA512

    9a6db6f4a87666e9789273027217d9656257917f530b36c60f9e026bbc9ef2229f66718b6365d0691ec254e153a537bfa1c577f7df4d588218b3c110ffbd46d8

  • SSDEEP

    6144:+loZM+rIkd8g+EtXHkv/iD4SRLvW0b3c5NImHHm9cb8e1m6i:ooZtL+EP8SRLvW0b3c5NImHHmec

  Score

  10^/10

  umbralstealerexecutionspyware

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2