umbral

Sharing

Copy URL

Twitter E-mail

General

Target

Ghost+Stealer.zip
Size

996KB
Sample

240903-d9jjsaxele
MD5

0fc43a86618a27f526b1deca8ea10230
SHA1

778576f05abd13b47e3d6ca2ed376a2fff4d5631
SHA256

2389f707ea454c9643631a8936557ea2abb39323d824cbd15759eee10c67cf46
SHA512

6466ec9960bd656f15dd2573b9d61dc3ccd95ff020a69db609b794dc610e3e8eb4e8fa9fc1333c963bce011af39729ccbc1b0e2db49fce073b0f57d054d86398
SSDEEP

24576:3ayYJsxkASilelLzUyBapr8IrQxD38AkWSixej5zGUBN:3a4kASilelvar8EAkWSixejRZ

Score

10^/10

Malware Config

Targets

- Target
  
  Ghost+Stealer.zip
- Size
  
  996KB
- MD5
  
  0fc43a86618a27f526b1deca8ea10230
- SHA1
  
  778576f05abd13b47e3d6ca2ed376a2fff4d5631
- SHA256
  
  2389f707ea454c9643631a8936557ea2abb39323d824cbd15759eee10c67cf46
- SHA512
  
  6466ec9960bd656f15dd2573b9d61dc3ccd95ff020a69db609b794dc610e3e8eb4e8fa9fc1333c963bce011af39729ccbc1b0e2db49fce073b0f57d054d86398
- SSDEEP
  
  24576:3ayYJsxkASilelLzUyBapr8IrQxD38AkWSixej5zGUBN:3a4kASilelvar8EAkWSixejRZ
Score

1^/10
behavioral1 behavioral2
- Target
  
  Ghost Stealer/Ghost.builder.exe.config
- Size
  
  163B
- MD5
  
  dccd44fb11b8e4ebdfb822e809a54b6f
- SHA1
  
  1889d5ae8c7c70c051cbde104af6e0f31f8c1b63
- SHA256
  
  6862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158
- SHA512
  
  dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Ghost Stealer/Ghost.builder.pdb
- Size
  
  113KB
- MD5
  
  9923a8c48c0375680cd8f34fb9a6b8d0
- SHA1
  
  d1e8cf4fbfa19bf86e3877a641e8e3f2582d95c6
- SHA256
  
  58f1ca3f7165b0688db2cbf2ec91c0df5dacb43ee03fcd9ddd2a500d162e6899
- SHA512
  
  ac0222ec40f5fc62007314ef5e387a0c60743305b50b43d34c56eaad8fbe9210847206067f7ea0f5eede0be6dd5a0729ce4477fa367557b10b5017c721222c04
- SSDEEP
  
  1536:1QAYHXpGuF9AVm6XDAUpT+tq91M/ihARY+C3QA:uHBF9AdTAU8AhARY
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Ghost Stealer/Ghost.exe
- Size
  
  1.2MB
- MD5
  
  b77a263bcb2c18a1b922c642c0cc5ee2
- SHA1
  
  90e423f769d7cff75ba8bd362f07b7789ddb8eed
- SHA256
  
  5bc1900d65e4daa0d587ecadee83113aff82facb5259ec1a6988ef25dae7df7d
- SHA512
  
  bf00a292c67d49f6155b057fd3f4666a309f86de60d20948ac5a34ef333658e1afe3e064ffd8c80eccad68181ecbf2b7f896624437e7dfcf37773416a59b0ca6
- SSDEEP
  
  12288:6iOokH48FBakxSixBfraTyInY2tpJg7yICBRIkg8A:6iOAukKSine/pzmwBI5
Score

6^/10

discovery
- Drops desktop.ini file(s)
behavioral7 behavioral8
- Target
  
  Ghost Stealer/Ghost.payload
- Size
  
  230KB
- MD5
  
  da7d94f96e8b7f035020b7721e968ec1
- SHA1
  
  a30abe39a9e27e5eb76fb509eb4f9edeb7c36f5e
- SHA256
  
  23d651ed623affcb1b71457c07c4f887a6ac44b04ceef74850292ab38d1b3287
- SHA512
  
  181bf779331cbe6f456a44963004e84d8850e1a61350bae66c4e5001d185740c5fbab44b536e3e055871029db23409db376778488ea1d0098ac89786387bd6e2
- SSDEEP
  
  3072:WP+1vofuiMY9QF1c7ROhOtXrLmBGIgXyPyTuuu5bO4ickEw8eFJMwT0kE/0RQ:lQ9Q4XYuTuuufS8eFJLhE
Score

10^/10

umbral stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
behavioral10 behavioral9
- Target
  
  Ghost Stealer/ResourceLib.dll
- Size
  
  76KB
- MD5
  
  944ce5123c94c66a50376e7b37e3a6a6
- SHA1
  
  a1936ac79c987a5ba47ca3d023f740401f73529b
- SHA256
  
  7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
- SHA512
  
  4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b
- SSDEEP
  
  1536:CSSYikTF0Z+sFGu11tIcyI1MtI9eDG3fL7:CJYD0Z9FGu11teI1r9ea3
Score

1^/10
behavioral11 behavioral12
- Target
  
  Ghost Stealer/Stub/stub.exe
- Size
  
  1.2MB
- MD5
  
  a807001286f0d4f3336e9a45e6184558
- SHA1
  
  4253769235f75848632e559a2e15d0ef9708a479
- SHA256
  
  e1f56d8ad0dfea880281406424191daebbc1f77eb30ca25d997f26fd6cc71070
- SHA512
  
  693221c1809c9d338e0ac270a0cf6aa6f277026b58056360180415b96a1a5f47104376e4fe37e0f6a2e929c5a9e7547afe0fa0d5b6ee8d12a76012affb718d42
- SSDEEP
  
  12288:ZiOokH48FBakxSixBfraTyInY2tpJg7yICBRIkx:ZiOAukKSine/pzmwBp
Score

10^/10

discovery evasion execution persistence privilege_escalation trojan
- UAC bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral13 behavioral14
- Target
  
  Ghost Stealer/Stub/stub.exe.config
- Size
  
  759B
- MD5
  
  a40b70b19e717b2628d2662b61e69f99
- SHA1
  
  c3d59349659cd82fb6b8c093a3df72846541573a
- SHA256
  
  67818858dae8a4d85a158d68ca50bfef345a730dbf12461cfb700f30edee460c
- SHA512
  
  2dfca6af0d7daeafa4803fbf971843e70678eb2ecc73f8559d39a617721c3a9362eba9fd4d158a1227a50d96b6711a9bd9f694eb10532e7caa9694aefa81b794
Score

3^/10

discovery
behavioral15 behavioral16