Extracted

• • Target

    bb7252177d00b2242b820310ffe3b45f31ee666d85cd6b521f93566c3edc27cc.exe

  • Size

    231KB

  • MD5

    447297048bf59e02973e2a92506bcf82

  • SHA1

    2ed1aca8f40418d12f99675157b89e1d2d26ebb0

  • SHA256

    bb7252177d00b2242b820310ffe3b45f31ee666d85cd6b521f93566c3edc27cc

  • SHA512

    34c14cfb4baeab9bc45445f4167c90d1c362df04ab185a69676088011dfb3f9f78e951ece9986f42fb6ec6d31f22f7dc012d2ccbf8cf02ef0261c8aa698eaf76

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4VDTfGELns8d42X3Wo1b8e1mOi:joZtL+EP8VDTfGELns8d42X3Wk0

  Score

  10^/10

  umbralcredential_accessdiscoveryexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2