umbral | 351cba23cab65cd57d5ec9e553bfa02d35a32a8f75467a75b1c3735b87af6a3d | Triage

Submit
Reports

Overview

overview

Static

static

SolaraB/So...er.exe

windows7-x64

SolaraB/So...er.exe

windows10-2004-x64

Resubmissions

04-07-2024 13:03

240704-qaf1tsxckj 10

04-07-2024 12:47

240704-p1mqmaxbjr 10

Sharing

General

Target

SolaraB.rar
Size

76KB
Sample

240704-qaf1tsxckj
MD5

9ad679577500b09d525e224e36667ba4
SHA1

e8c8a7afd0c415b94e65e6d0b782852fd0fe508d
SHA256

351cba23cab65cd57d5ec9e553bfa02d35a32a8f75467a75b1c3735b87af6a3d
SHA512

8f0b245ce641a8912f9c8482c7286bdcf19defd7381f4ee985e0f59701ead1ea134c03816545a9b848b43116afe7da371c2ba6d62b26ccdc5e7b579b68e3c736
SSDEEP

1536:zi2l3ISJ6HumuVjcjvlUiKFyTh7hxcj/Z1jY8LkoGFuQ3d:zl3pJjmeQ5URyd7n8/Z1xozFugd

Score

10^/10

umbral execution spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

SolaraB/Solara/solarabootstrapper.exe

Resource

win7-20240508-en

umbral execution spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

SolaraB/Solara/solarabootstrapper.exe

Resource

win10v2004-20240508-en

umbral execution spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1258158330237423708/TP4vZ1k1Rh4BbYP62cogAVNmLUNicORrL9xsgCelKxJelwVrWSmY1bVmhh1Yvxap5YQ-

Targets

- Target
  
  SolaraB/Solara/solarabootstrapper.exe
- Size
  
  227KB
- MD5
  
  ebf1358b8496d5c895f4b8f9298f7f96
- SHA1
  
  f0136d66bf877934376858064344c2038b998fd4
- SHA256
  
  bccba62c31f689715d01f4e80edbe2fe6a816edb571c4a409fccbe2d5b789b65
- SHA512
  
  ca82e5838c7e8b292f46e5b20684b7fbb861f449678fc6283bd5c587c0958c069800e94c9f65b239609434564a394f8ca168d83d40bc27c96ade6c18744beb6d
- SSDEEP
  
  6144:eloZMLrIkd8g+EtXHkv/iD46E6TjpaC9sop7mGz3/b8e1mZJi:IoZ0L+EP86E6TjpaC9sop7mGzLt
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralexecutionspywarestealer

behavioral2

umbralexecutionspywarestealer

© 2018-2024

Terms | Privacy