Extracted

• • Target

    cbe01fe4646cb0bf553e56fab6049ea0N.exe

  • Size

    332KB

  • MD5

    cbe01fe4646cb0bf553e56fab6049ea0

  • SHA1

    74323c61e5e6af54a185db9055a63b58164a0875

  • SHA256

    084d8dae75296d5278702a13359c8869ea6919de5e0f3e939d0e786771238614

  • SHA512

    231f36ca6f9904dee27d8bd663f2210686f1b999341bf5da4aa6726785cbfa78df9af9ca2095cc918682ec215e92509beb34ea294b88eeabfa74f263ec801bc3

  • SSDEEP

    6144:tqS31vVrANegm9Wv3IOm+I3Wy6VlWd40pKr/zZ5wBJqsycOPAahF:4S7PWvSR3WTVl50wrN5wDq//A

  Score

  10^/10

  umbralcredential_accessdiscoveryexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2