umbral | Ghost+Stealer[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Ghost+Stealer.zip
Size

996KB
MD5

0fc43a86618a27f526b1deca8ea10230
SHA1

778576f05abd13b47e3d6ca2ed376a2fff4d5631
SHA256

2389f707ea454c9643631a8936557ea2abb39323d824cbd15759eee10c67cf46
SHA512

6466ec9960bd656f15dd2573b9d61dc3ccd95ff020a69db609b794dc610e3e8eb4e8fa9fc1333c963bce011af39729ccbc1b0e2db49fce073b0f57d054d86398
SSDEEP

24576:3ayYJsxkASilelLzUyBapr8IrQxD38AkWSixej5zGUBN:3a4kASilelvar8EAkWSixejRZ

Score

10^/10

umbral

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
static1/unpack001/Ghost Stealer/Ghost.payload	family_umbral

Umbral family
umbral

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Ghost Stealer/Ghost.exe
unpack001/Ghost Stealer/Ghost.payload
unpack001/Ghost Stealer/ResourceLib.dll
unpack001/Ghost Stealer/Stub/stub.exe

Files

Ghost+Stealer.zip
.zip
Ghost Stealer/Ghost.builder.exe.config
.xml
Ghost Stealer/Ghost.builder.pdb
Ghost Stealer/Ghost.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

ba;L
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ba;L
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 304B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

cSgKFwJB
Size: 512B - Virtual size: 22B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.????
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Y
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc1
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ghost Stealer/Ghost.payload
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\C# Projects\Umbral Stealer\Umbral.payload\obj\Release\Umbral.payload.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ghost Stealer/ResourceLib.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\projects\resourcelib\Source\ResourceLib\obj\Release\net45\Vestris.ResourceLib.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ghost Stealer/Stub/stub.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

ba;L
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ba;L
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

cSgKFwJB
Size: 512B - Virtual size: 22B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.????
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Y
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ghost Stealer/Stub/stub.exe.config

Sharing

General

Malware Config

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

ba;L Size: 31KB - Virtual size: 30KB

ba;L Size: 31KB - Virtual size: 30KB

.text Size: 1.1MB - Virtual size: 1.1MB

.rsrc Size: 512B - Virtual size: 304B

cSgKFwJB Size: 512B - Virtual size: 22B

.???? Size: 512B - Virtual size: 276B

Y Size: 512B - Virtual size: 16B

.rsrc1 Size: 23KB - Virtual size: 23KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 227KB - Virtual size: 226KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 73KB - Virtual size: 73KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

ba;L Size: 31KB - Virtual size: 30KB

ba;L Size: 31KB - Virtual size: 30KB

.text Size: 1.1MB - Virtual size: 1.1MB

.rsrc Size: 1KB - Virtual size: 1KB

cSgKFwJB Size: 512B - Virtual size: 22B

.???? Size: 512B - Virtual size: 276B

Y Size: 512B - Virtual size: 16B

.reloc Size: 512B - Virtual size: 12B

ba;L
Size: 31KB - Virtual size: 30KB

ba;L
Size: 31KB - Virtual size: 30KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rsrc
Size: 512B - Virtual size: 304B

cSgKFwJB
Size: 512B - Virtual size: 22B

.????
Size: 512B - Virtual size: 276B

Y
Size: 512B - Virtual size: 16B

.rsrc1
Size: 23KB - Virtual size: 23KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 227KB - Virtual size: 226KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 73KB - Virtual size: 73KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

ba;L
Size: 31KB - Virtual size: 30KB

ba;L
Size: 31KB - Virtual size: 30KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rsrc
Size: 1KB - Virtual size: 1KB

cSgKFwJB
Size: 512B - Virtual size: 22B

.????
Size: 512B - Virtual size: 276B

Y
Size: 512B - Virtual size: 16B

.reloc
Size: 512B - Virtual size: 12B