Malware Analysis Report

2024-10-10 09:51

Sample ID 240630-zz5j6awaje
Target Umbral.Stealer.zip
SHA256 8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
Tags
agilenet umbral
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

Threat Level: Known bad

The file Umbral.Stealer.zip was found to be: Known bad.

Malicious Activity Summary

agilenet umbral

Detect Umbral payload

Umbral family

Obfuscated with Agile.Net obfuscator

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 21:10

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 21:10

Reported

2024-06-30 21:13

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"

Network

N/A

Files

memory/2416-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

memory/2416-1-0x00000000008C0000-0x00000000008E2000-memory.dmp

memory/2416-2-0x0000000000490000-0x00000000004B0000-memory.dmp

memory/2416-3-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/2416-4-0x0000000000690000-0x00000000006FE000-memory.dmp

memory/2416-5-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

memory/2416-6-0x00000000004D0000-0x00000000004DE000-memory.dmp

memory/2416-7-0x0000000000850000-0x00000000008AA000-memory.dmp

memory/2416-8-0x00000000004E0000-0x00000000004F0000-memory.dmp

memory/2416-9-0x00000000004F0000-0x000000000050E000-memory.dmp

memory/2416-10-0x000000001B9B0000-0x000000001BAFA000-memory.dmp

memory/2416-11-0x000000001BB00000-0x000000001BC16000-memory.dmp

memory/2416-12-0x0000000000700000-0x0000000000730000-memory.dmp

memory/2416-13-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

memory/2416-14-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

memory/2416-15-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

memory/2416-16-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

memory/2416-17-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

memory/2416-18-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

memory/2416-19-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 21:10

Reported

2024-06-30 21:13

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4084-1-0x000002563B380000-0x000002563B3A2000-memory.dmp

memory/4084-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

memory/4084-3-0x000002563D100000-0x000002563D120000-memory.dmp

memory/4084-2-0x000002563B810000-0x000002563B830000-memory.dmp

memory/4084-5-0x000002563D120000-0x000002563D12E000-memory.dmp

memory/4084-8-0x0000025655920000-0x000002565593E000-memory.dmp

memory/4084-9-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

memory/4084-7-0x000002563D130000-0x000002563D140000-memory.dmp

memory/4084-6-0x0000025655960000-0x00000256559BA000-memory.dmp

memory/4084-4-0x0000025655AE0000-0x0000025655B4E000-memory.dmp

memory/4084-10-0x0000025655CA0000-0x0000025655DEA000-memory.dmp

memory/4084-12-0x0000025655BC0000-0x0000025655BF0000-memory.dmp

memory/4084-11-0x0000025655DF0000-0x0000025655F06000-memory.dmp

memory/4084-13-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

memory/4084-14-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

memory/4084-15-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

memory/4084-16-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

memory/4084-17-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

memory/4084-18-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp