Extracted

• • Target

    4bb8a2bcc007cc041fe3c03c25453920N.exe

  • Size

    3.5MB

  • MD5

    4bb8a2bcc007cc041fe3c03c25453920

  • SHA1

    e922394a6f90243985b305efb9e4caed04483d40

  • SHA256

    9b90f637ef1988d0b812882cc1455f1ca87b8eef2017d92ec438734b02eebe36

  • SHA512

    40cc3a02511bd4b899824aeb70867218220f7797e100daf625b364f899ec3c58d8c129fe0b17c445683e0968beb5abc25262707fa074f9ef85b26da31cb7cddd

  • SSDEEP

    49152:k9bxPRDP0fHuNSeZUZzWHehOQ1750lGurq4bx67oICjhTLCUA/bIHvWdW9dX8dvz:m5Rjb1Zc/hOQkvq407ozFmAeW9Wvz

  Score

  10^/10

  umbralcredential_accessdiscoveryevasionexecutionspywarestealerthemidatrojan

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2