umbral | c8615f0c7412de9bab6307491a5084aed1faf308664bc4d21e8d83101afdeb0a | Triage

Submit
Reports

Overview

overview

Static

static

SolaraB/So...er.exe

windows11-21h2-x64

Sharing

General

Target

SolaraB.rar
Size

76KB
Sample

240704-rtb2nazeqc
MD5

6411b4a9a246eef97e589a9df2882f8a
SHA1

1d90311acb334f288f4996df26b1800403a0948f
SHA256

c8615f0c7412de9bab6307491a5084aed1faf308664bc4d21e8d83101afdeb0a
SHA512

0199a12c1fdcdc0125e29d578e6111fb5cd3a51d5370c618fbeba138fe2c42e31418a611df7ead727f510b7da7a53e71f2c09c59850253d58ac07b5b658dcb4f
SSDEEP

1536:Ki2l3ISJ6HumuVjcjvlUiKFyTh7hxcj/Z1jY8LkoGFuQ3n:Ql3pJjmeQ5URyd7n8/Z1xozFugn

Score

10^/10

umbral execution spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

SolaraB/Solara/solarabootstrapper.exe

Resource

win11-20240508-en

umbral execution spyware stealer

windows11-21h2-x64

24 signatures

1800 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1258158330237423708/TP4vZ1k1Rh4BbYP62cogAVNmLUNicORrL9xsgCelKxJelwVrWSmY1bVmhh1Yvxap5YQ-

Targets

- Target
  
  SolaraB/Solara/solarabootstrapper.exe
- Size
  
  227KB
- MD5
  
  ebf1358b8496d5c895f4b8f9298f7f96
- SHA1
  
  f0136d66bf877934376858064344c2038b998fd4
- SHA256
  
  bccba62c31f689715d01f4e80edbe2fe6a816edb571c4a409fccbe2d5b789b65
- SHA512
  
  ca82e5838c7e8b292f46e5b20684b7fbb861f449678fc6283bd5c587c0958c069800e94c9f65b239609434564a394f8ca168d83d40bc27c96ade6c18744beb6d
- SSDEEP
  
  6144:eloZMLrIkd8g+EtXHkv/iD46E6TjpaC9sop7mGz3/b8e1mZJi:IoZ0L+EP86E6TjpaC9sop7mGzLt
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralexecutionspywarestealer

© 2018-2024

Terms | Privacy