Analysis Overview
SHA256
8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
Threat Level: Known bad
The file Umbral.Stealer.zip was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral family
Obfuscated with Agile.Net obfuscator
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 21:10
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 21:10
Reported
2024-06-30 21:13
Platform
win7-20240508-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"
Network
Files
memory/2416-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp
memory/2416-1-0x00000000008C0000-0x00000000008E2000-memory.dmp
memory/2416-2-0x0000000000490000-0x00000000004B0000-memory.dmp
memory/2416-3-0x00000000004B0000-0x00000000004D0000-memory.dmp
memory/2416-4-0x0000000000690000-0x00000000006FE000-memory.dmp
memory/2416-5-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2416-6-0x00000000004D0000-0x00000000004DE000-memory.dmp
memory/2416-7-0x0000000000850000-0x00000000008AA000-memory.dmp
memory/2416-8-0x00000000004E0000-0x00000000004F0000-memory.dmp
memory/2416-9-0x00000000004F0000-0x000000000050E000-memory.dmp
memory/2416-10-0x000000001B9B0000-0x000000001BAFA000-memory.dmp
memory/2416-11-0x000000001BB00000-0x000000001BC16000-memory.dmp
memory/2416-12-0x0000000000700000-0x0000000000730000-memory.dmp
memory/2416-13-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2416-14-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2416-15-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2416-16-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp
memory/2416-17-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2416-18-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2416-19-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 21:10
Reported
2024-06-30 21:13
Platform
win10v2004-20240508-en
Max time kernel
41s
Max time network
51s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4084-1-0x000002563B380000-0x000002563B3A2000-memory.dmp
memory/4084-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp
memory/4084-3-0x000002563D100000-0x000002563D120000-memory.dmp
memory/4084-2-0x000002563B810000-0x000002563B830000-memory.dmp
memory/4084-5-0x000002563D120000-0x000002563D12E000-memory.dmp
memory/4084-8-0x0000025655920000-0x000002565593E000-memory.dmp
memory/4084-9-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/4084-7-0x000002563D130000-0x000002563D140000-memory.dmp
memory/4084-6-0x0000025655960000-0x00000256559BA000-memory.dmp
memory/4084-4-0x0000025655AE0000-0x0000025655B4E000-memory.dmp
memory/4084-10-0x0000025655CA0000-0x0000025655DEA000-memory.dmp
memory/4084-12-0x0000025655BC0000-0x0000025655BF0000-memory.dmp
memory/4084-11-0x0000025655DF0000-0x0000025655F06000-memory.dmp
memory/4084-13-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/4084-14-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/4084-15-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp
memory/4084-16-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/4084-17-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/4084-18-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp