umbral

Sharing

Copy URL

Twitter E-mail

General

Target

Image Logger.rar
Size

12.0MB
Sample

240911-y9crfssalf
MD5

bf5f0ec29018b7d713352805d211a707
SHA1

35919edd98fda6612dc5c1e5e6cdedc0900bb9a1
SHA256

e73bb9abd07a3075baacff2be37bf9b32bc612de7e03af85ef4d51ff7b494e94
SHA512

7061b438b13cc0b2eb3d45b241833954067fd9e345418f610ee9d78b7c5774e78fa6c1f7522b3a468888cb8088edf93e1f4ba6113e5f8f4c13d4acd3109f52dd
SSDEEP

196608:qDREcqgDmKJp7LOIZuSokkVj9hwhRKmSZH/UuSRUIDxd3ObF2GD/VrQuG4:0REcqgDmo7qx3V7WEfUuSO8d34jdrQS

Score

10^/10

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1282684334083674163/14oc769qwp-7q89dT2gExNUqJTVIjFCuQrE66NDv5VnCgalUJDArvZ32Ho6PZNuQNrB7

Targets

- Target
  
  Image Logger/Setup.bat
- Size
  
  187B
- MD5
  
  43b1a15e2307916cb5d7868cfe1fe562
- SHA1
  
  84b20014f6138b2f526047d4cbf531037d4d3a0c
- SHA256
  
  f330318d896d9b389dcb927c907c7ad599603b002435119403040c9a65beb125
- SHA512
  
  689e974127c6ed97cb486e3597de090ad9f89faa2818c43ce11186d3f4a184a4b4a239abe1b86079a2c19da67ec3ff22315a0fc0e887905ab323129ef53c2555
Score

10^/10

umbral credential_access discovery execution stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Image Logger/Src/Files/upx.exe
- Size
  
  229KB
- MD5
  
  3191f1be1378fe37eb86efe885252351
- SHA1
  
  e242bc1a4a1b09dc0936a966153449a7afd227ff
- SHA256
  
  d5e77c60ebc90e48aa63369619fb8a048867aa1820c119371fb89d3b707324fc
- SHA512
  
  f2e9f3bbc4456034a0d233f0aca93de4fd5177e028d8f3208248457bc061574ac1a3615e565ca9d54cf41f68df6ac6f03b44c0dbaae0f56cc569440f67af204a
- SSDEEP
  
  6144:FloZM+rIkd8g+EtXHkv/iD4o+7Cw7ByallgRj++74T7b8e1mA9i:HoZtL+EP8V7Cw7ByallgRj++74DVU
Score

10^/10

umbral credential_access execution spyware stealer discovery
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  Image Logger/Src/main.exe
- Size
  
  12.3MB
- MD5
  
  9c9dc758b34d719a4279bdf87e52f975
- SHA1
  
  3a659e7c11832dc935696c93c7f9d81041f0522c
- SHA256
  
  5925b2b709bfea787674db60f127a6117c60c88148317c9f9bb7cce8d4ff1316
- SHA512
  
  fcedbbceebbed1d8cc3a2d148f951bc919e0fda5ca59eebc7c848b52844681451d97d0aede01cf9afe2ce942b87414479b141a4136c07db2fa52b5b8b4209091
- SSDEEP
  
  393216:rI8DzgpgPYVnNSMF1+TtIiFavB5IjWqilzLyG3zE:r5DzgpgPQH1QtIx3ILi93
Score

7^/10
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  main.pyc
- Size
  
  3KB
- MD5
  
  16e27d323fbbe72066c2f6db0c85e9c9
- SHA1
  
  71ca30614315dd3b125f8f0f08cbe8cbd566b8ac
- SHA256
  
  24b9e6f7c9b79435d9d08b6199bb54474ae0634d96d746ee188ffae6966aae6a
- SHA512
  
  9c7ceb6c38223fdd317d6774ce4b8b19192ba42caa343bdc48450915a1953e0590dde6b9f370a4754ae7c7f6d14b7703d281f7fd6825873d717eea97d7457f3a
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Image Logger/Start.bat
- Size
  
  59B
- MD5
  
  f43a646ca2cde87cc20f3756ad12e51c
- SHA1
  
  2788e5da1348b7418356d2a485a40c7fb4697588
- SHA256
  
  3ea2dd9cdd54135aaf47b196acbd4b54be5744be4fdfa022600e2cdd1cdf7d0c
- SHA512
  
  3788d856a36cba78b147dfc4263682105cd4ddf6f6db701b4cbe95a4b449d397ff5d5f039a93dd77f055bb6db329f908796fb3ff0969a8070647ffc1c13fe7cb
Score

10^/10

umbral credential_access discovery execution stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9