General
-
Target
yteah.exe
-
Size
227KB
-
MD5
a2a605499f5c6411a4020cbdcee72e0c
-
SHA1
91ed0eaa5005e566f0d29c12f97a2c6a6583781f
-
SHA256
dda9010bca296fd1ac80f5c83459d05546c8dadc8b140877372a5fc91ac9ea26
-
SHA512
6aff4ed32016570a652e3f424b3db048a99b225c6624909863d5217869d444af38438039e8d0495d379b3a52727c1855a7789128c0115b368ca3d24446d212de
-
SSDEEP
6144:+loZM+rIkd8g+EtXHkv/iD4AkKM+8D/0zVA+Pv+nJb8e1mzDi:ooZtL+EP8AkKM+8D/0zVA+Pv+Bp
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1268794193321525280/-MtzATHm9H0Ql-oJM2T2M9v_32vsSpeIbom8dQQF9ax-tXdpjKHa9b68xGcy80W5k4pa
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule sample family_umbral -
Umbral family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource yteah.exe
Files
-
yteah.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 224KB - Virtual size: 224KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ