umbral | 2389f707ea454c9643631a8936557ea2abb39323d824cbd15759eee10c67cf46

Analysis

max time kernel
46s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 03:42

Target

Ghost Stealer/Ghost.exe
Size

230KB
MD5

da7d94f96e8b7f035020b7721e968ec1
SHA1

a30abe39a9e27e5eb76fb509eb4f9edeb7c36f5e
SHA256

23d651ed623affcb1b71457c07c4f887a6ac44b04ceef74850292ab38d1b3287
SHA512

181bf779331cbe6f456a44963004e84d8850e1a61350bae66c4e5001d185740c5fbab44b536e3e055871029db23409db376778488ea1d0098ac89786387bd6e2
SSDEEP

3072:WP+1vofuiMY9QF1c7ROhOtXrLmBGIgXyPyTuuu5bO4ickEw8eFJMwT0kE/0RQ:lQ9Q4XYuTuuufS8eFJLhE

Score

10^/10

umbral stealer

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral9/memory/2624-1-0x0000000000F00000-0x0000000000F40000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2176	2624	Ghost.exe	31
PID 2624 wrote to memory of 2176	2624	Ghost.exe	31
PID 2624 wrote to memory of 2176	2624	Ghost.exe	31

C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.exe
"C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2624 -s 540
  2⤵
  PID:2176

memory/2624-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/2624-2-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download