umbral | Dead+Stealer[.]rar

General

Target

Dead+Stealer.rar
Size

200KB
MD5

0d95c0b8381a7eea1b391c0c4c1b705a
SHA1

b9777d1eb06902c161f0a88925de3c49d61dadf1
SHA256

1b9385d02d7257137ac792f32b3109b02a01c720de368c1f334ec8f54638f795
SHA512

1d86bfca0e998ce7e6a67eb37189d18f3c66e311b7a2ec393e7f7549f7f5467fed4c10e4965ae77d0799aad2e9d72bc6c62a5e9cc3547eaae1aa5aaaaccc9852
SSDEEP

6144:oXGhaBEyvGC8UasGt9dWiwZIUnD16gXIDS18Q56BB:kGhByeuaRWxIUp6PDOjMBB

Score

10^/10

umbral

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1267112581206904925/Gkx9-NA-5FKJL-3Ehaqtj5lpmNzG-yFwxfY66lVxsyoKGIcae-bbaUO7d-hvSLDQU1-n

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
static1/unpack001/Dead Stealer/dead-builder.exe	family_umbral
static1/unpack001/Dead Stealer/dead.payload	family_umbral

Umbral family
umbral

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Dead Stealer/dead-builder.exe
unpack001/Dead Stealer/dead.payload

Files

Dead+Stealer.rar
.rar
Dead Stealer/dead-builder.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 251KB - Virtual size: 251KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Dead Stealer/dead.payload
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\!DEVIL\Desktop\‎\Umbral-Stealer-main\Umbral.payload\obj\Release\dead.payload.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 251KB - Virtual size: 250KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 251KB - Virtual size: 251KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 251KB - Virtual size: 250KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 251KB - Virtual size: 251KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 251KB - Virtual size: 250KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B