umbral

Sharing

Copy URL

Twitter E-mail

General

Target

EmeraldX.zip
Size

2.9MB
Sample

240913-yn71gawajq
MD5

6d5e6bb315019834ad58da276fb2b4ee
SHA1

c3dfebcf3caf961c745a070c58a78dd5c30bd368
SHA256

6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed
SHA512

6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213
SSDEEP

49152:Gf+JRr8UFdx5nmGAlo1S6OxurnJtB1Xgaon+3BzWVoZ0AEk:G2bdx5nmc7OcnJhXge3BzWiZ0Ab

Score

10^/10

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1282641542556811284/XhP2lBGmy2WSxK1y0l23RHuQqEin2SHIJODdzqGhEFoaXh5jRVDNcIXTEi8GEfBNxtlo

Targets

- Target
  
  Emerald X/Emerald.exe
- Size
  
  229KB
- MD5
  
  f50a9b0c2670af5b0e3371ecdcebed27
- SHA1
  
  e114834c05d2e86db3c3d45ccbd46a7c32950167
- SHA256
  
  abbf1cd65c8d762019873c47b45e374d0c75cb28ddf754a8ddb35501f3cb63b2
- SHA512
  
  21784568e5f27bbd0235fb37d7a7381055da13f27c00b6399bbb09b286bc58a965f00bb925950855392aad57678d34ccd0de4d13b10f9ae7503bc192143a90c6
- SSDEEP
  
  6144:lloZM+rIkd8g+EtXHkv/iD4eudRU69VecbGkFZwEPb8e1moi:noZtL+EP8eudRU69VecbGkFZwWq
Score

10^/10

umbral credential_access discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Emerald X/Injector.exe
- Size
  
  5.5MB
- MD5
  
  072bd8b0166f4e8c134fddd1a91b16c6
- SHA1
  
  da0e078b22b6739eb2ae67ef3dd7ac7ee841f96c
- SHA256
  
  f84e39b3be2ba74691b82dab25a4d42d13535f138d9c69ffe37d45d90612a34f
- SHA512
  
  5ff3173c47a7718c41076507a5c3d8e83021928dead3c82ce6e46b4609afa6ffa4af7cd4af1b779805c00ccd5b9ee5a59144c0507bb17db8fad77b0e144ee828
- SSDEEP
  
  49152:uACTPFe76hHoYwVbV+huHplzrvTAm+DGjV1ykc+nPsbn3+nM6Pzs0dn3dnndn+dF:WwHpoe6
Score

1^/10
behavioral3 behavioral4
- Target
  
  Emerald X/bin/Monaco/index.html
- Size
  
  13KB
- MD5
  
  8132342ce4b039603cbb3b1a32ab859b
- SHA1
  
  66c46050a6e5b08758c00455ae26a6c66e94ce4c
- SHA256
  
  3818906ed429acd27aabad7ec8771893d60658ea31b8d0c92418b96de8ee94e6
- SHA512
  
  44d93118187e703af1fc1627de7e97c39072e666c9086b1b4c00a7eadce1913c84dc97e8f80e2b514154ef66b23baddbfd71a2faa250735ddf4d2bc12709cef4
- SSDEEP
  
  192:oL3bXRggAbYm/9mv2Oxr09VpDwFgBsK7u24FzTkcmc/VT+9taAc4dReigXN:2RggAbYmbD9V9wFgBs+SFN
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Emerald X/bin/Monaco/vs/base/worker/workerMain.js
- Size
  
  174KB
- MD5
  
  9ce9e46b6d66d8b2dbcabba577cad2ed
- SHA1
  
  397b0e9e7b2bee37a8444e84bb9788a0bdcb023e
- SHA256
  
  19b566655d73370a820a7d6fffe7af03dba3af4997016c0983be5bd188603ec2
- SHA512
  
  f322ea669fa81397066edef062721ae3dd515b3d61c4ad7bef0db0eb3a53f056da298fd4f761bd3e5d613e6f5803a7c35ed056085ac3b97e06c7bfd47fffad49
- SSDEEP
  
  1536:mi5eQeCEwCP1m9JXKmA1xKzyOQJf9X2K7eM9bWXsUK5QSkSoIMQwr+ZjtQYyeTMO:mHTdkKmA1yyOQJl2K7ns6dZ/RVaNzY
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes.js
- Size
  
  2KB
- MD5
  
  eb6fde8de905af68c855a2506c8a8204
- SHA1
  
  32b172578f398151be79f78bdeb15eeff4a83020
- SHA256
  
  1fbe4337327ef99c9caba74678cfff28652606fd667dbca34f12e809738010d9
- SHA512
  
  6e95ecdfbabf20c2e717006ea00fa92d79e577cf262460cef7f3db7bb4fa87585bed99b6a1bd1d865c5e5184044b0244aa0823580c9444b1f2ff013057f54235
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/base.js
- Size
  
  521B
- MD5
  
  29e50887a6f1c445e0f63bed73eefb83
- SHA1
  
  b8e006b9ad14bb6012497e164d9a4f926e2d568d
- SHA256
  
  9a6c60193eb2dda7c2682bf9c7ff7e01b0f6000d70881583f0055782c8b2c619
- SHA512
  
  16cc7fd8b5641d347a6a9e8542a6ab29d71a432dfb2f72dae05b21b274d92208ec7c5a9ad1ba313658f3a68aebd9edc3d0bcbf07a03d0f16eae95568f175dbf4
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes.js
- Size
  
  33KB
- MD5
  
  fabe9b3ec7774eb374f18709ab41c8c0
- SHA1
  
  de6c19413ef008000357bccea90faf0d23ccf605
- SHA256
  
  75418233aff9a1401f6c467f8ca20999803436bc1ebb463123d1fb94dcff1f38
- SHA512
  
  d7b4a9dbfab0ec55e27b2ded86066b37ebea7d50b3b6b28f44c996f8280463176f1107c6bf15a52fb700f88ac3e0e7b87fb8a50664da9b31fc0e89a38d2055e9
- SSDEEP
  
  768:EDVdzN+yYumzw/Wx5nYCH0e2zBsGMPv3lHhj4MyjKG9jn9/j7NFvHR0hT/YEkd3M:H6/W3YCUpqUDW
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/DataModel.js
- Size
  
  11KB
- MD5
  
  287b74a1ea581434cca8f9009f1489f2
- SHA1
  
  877544929146171e416cc8fb33b0e7e49845df3d
- SHA256
  
  ce2e06aaa97355c4f68a0793c41d4e068b3e1a225f5376d9dd3f4016e0441c7a
- SHA512
  
  4cd7b324ccde3fbca94ab948c4d831655125d6d4e2b237291b8e68f172cb375002c7ccdc49c3cfcf4ab6b7d65850d1a40bcc3f9979498eec697bae43dec7b54f
- SSDEEP
  
  192:AJCfeXBM5iG6zUMmY7QMlr4qLYFQjG6AcE103aNd9xZAqGQ2qFARewPxHFTX0:9feXB2iG6zUMmY7QM54qLYFQjG6AcE1X
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/Enum.js
- Size
  
  594B
- MD5
  
  4d0ec8edaec389b1eba92c1d18676f09
- SHA1
  
  6eafd8ed47700b9a2ff1e10dd7468e50fab1bf6d
- SHA256
  
  9bd9c85c5d1f476e663889ab2008f83b323c8d794abb0df35d43091c689ef64d
- SHA512
  
  d4c7655d7db8d4f7d4bb2d0add36bef916caf291b2855785685a3e812279369848ce081ac6fb5cc869fb827653a4a1f874273af17bee67987e3c3a441ad368e8
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/EnumItem.js
- Size
  
  1KB
- MD5
  
  09bbad4c05be7ab76cc3c5ef4fa9ddc0
- SHA1
  
  a38cb372349a2420619e2fb629f0912500dc1064
- SHA256
  
  f7ada012dcc309b7c1cd272d1a81657b0ddb3d51521e682116522099285d525e
- SHA512
  
  40b753d8e97ba46be9fe4241dbe892bdeb62c902ea088d68ee7ea5ce0506d51b16f7105355a6b5360363c80d98b0f644b7a7ea2b4262210f24870368a2629c44
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/Enums.js
- Size
  
  777KB
- MD5
  
  b1e41317d3ffe843032f5eb6f74806a9
- SHA1
  
  506f617da8d8093ed58cfda68e0d60e1aa2ed08d
- SHA256
  
  799c0657b0ab027c3ec0794e8934bed4a4a8e7f063dcae47783a7f32fbeda25c
- SHA512
  
  fb538a73935fd41b9f2ba9f6ddcdfe066f6f672d5dfe682dad301cae3392a93405fd35ee61126e9889e14f71c51e11cdecb4e20d213ba91b34801ec5b89ce02a
- SSDEEP
  
  6144:0XUmTfyptLD/yxnbDh+hIAKVwhWppLTl+ExT3dsX34hAhbAhQ9qhjLmWhXXu:wVyx
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/Instance.js
- Size
  
  16KB
- MD5
  
  430fa91891107d6f1f3c3392dde9ff4d
- SHA1
  
  5d42ebec7a7c3f5e5b7eb074c38572345e33c1c1
- SHA256
  
  807dd6d35bf5fffcd4de4aa4ed1800716223a6fe014077f23f2f652ac86d2a31
- SHA512
  
  22011409e428216a619ca085ce8e034dc6bc3a8f9de27fb4f2e3dd6b8aa8cc7aa3b02508af816137f646ca1fa96e083a832e68bd8c8b016bfd7a3674d532a875
- SSDEEP
  
  384:pFcCsgQgj6bPo2nv5CYR8/+qvPNEzH+AK6/NBA8K/tQsdz6FKRjrDcWYUeih+hrA:pFcCXQgj6bPo2nv5CYR8/+qvPNEzH+Ak
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/Model.js
- Size
  
  7KB
- MD5
  
  6cf31f5ac3af68e878bf565c9ed6404c
- SHA1
  
  afaa8bf2c9326ebe8658566fe6296a075d49e23c
- SHA256
  
  17b72f11f227d6261e44b0bf49d6cdc4ed88cef93c68384ba73f7550d9614d99
- SHA512
  
  0fff9572888be7dfcb792c53b006a6f4b8328d6522b971f5cb8fe9b0ce17ba9f82b6ae0a78d56cf585121a9a62772e70b03227074bb4683a52617f46c52202d2
- SSDEEP
  
  96:AqiyuRkcbZjRZ7AiQnRztu6W6cEY4Ef+YepYk6JY3g6RtqYnFNYlyecYqzGRpYSY:AJye3VNZ7/QRvcKEe9fg6zSyz2585
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/RBXScriptSignal.js
- Size
  
  1KB
- MD5
  
  c41248fefc16d5e096019eace4e8ec90
- SHA1
  
  e22931bf5fefeb7a5fc4ce7770283328e588241a
- SHA256
  
  660f088e8da6e3c7c16ff4df184a92fe96c2b2ffb8c3b3411f30b68d93723dba
- SHA512
  
  98f6a1367b4be1da50d1a257e726b9c1a66ae22cb8e2d1439b1dd0b4ba4d5a7e22340b165b489911d0a8603fb5c827c7ae43d89daf10dde34352a21304265a4d
Score

3^/10

execution
behavioral27 behavioral28
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/ServiceProvider.js
- Size
  
  6KB
- MD5
  
  1b0977e0af22c275e5f7df15de461932
- SHA1
  
  2fe9b8a3910fbf4187247dea7402baa402764210
- SHA256
  
  60a9fa2721d16f3162f5701b7ada27de313794b97047cc7bba25f82859e4c75e
- SHA512
  
  8aceee740df28fdd7e28abb3b42617eca70b33756f5b414366019fead5f94f716f3fde34e3600642a6c12b7ae5904b1700332a1a3a5c20c3f5f4d609652384b6
- SSDEEP
  
  192:AJDF/h+8NpUG1mQqJfL/3x78ONlzN1eFqT:MFJ+EpB1ifL/JNoFy
Score

3^/10

execution
behavioral29 behavioral30
- Target
  
  Emerald X/bin/Monaco/vs/basic-languages/lua/autocompletes/classes/Workspace.js
- Size
  
  12KB
- MD5
  
  b965d0ffcb61fec7f70f4f28a44e9982
- SHA1
  
  2a4c47087318178698368ff06fef670155bdfc53
- SHA256
  
  251d21959744760aa1e79274b7a9fad433fd42b2d3fb4783f56f0b070d06cf8e
- SHA512
  
  9da1ea797cbaba01c92dc7a68a586ceed6048565de1b8e40074a76666a8ac1df910a91c547abd5a2f8882686ed5d2cf1079cb47d626eaaf478da74b037d06af6
- SSDEEP
  
  384:XQazTbBakPYkrvL9Li9ZV7+RSC1LQS7FihmJVPMp1TQElbvvQeTRmvhQ:XQazTbBakPhrvL9Li9ZViRp1LQS7Fihx
Score

3^/10

execution
behavioral31 behavioral32