Extracted

• • Target

    e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e.bat

  • Size

    232KB

  • MD5

    7ebd033260b1e54dff5afd7c6534cf33

  • SHA1

    cfb7040938237156fa3795755c77eecd7957bc39

  • SHA256

    e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e

  • SHA512

    18175d028e1a0541c3c3f8221173c4e9004a14a4642bf34c6cb7ec660facb74f5c91e5ee8d8677d833cc5fe6d067ea6cb40e641524d909056b8daedc21d2682f

  • SSDEEP

    6144:FAWrhrgGAavaCnw8PaaEnyLzdyWEklez+3PDUi4WQZ5q:KWr5Mt+wezdTeK3LUi1QZM

  Score

  10^/10

  umbralcredential_accessexecutionstealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2