umbral | e347a40fb7e3ef7705992bce042a420c6fd25913aa931e6fd78ad91b6024e0ee

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloxtrap.exe
Size

231KB
MD5

30e78c99e6dadf3e214426fad0aa70ad
SHA1

e7c69f6df99f06632a451d633e615f274b5eaed6
SHA256

e347a40fb7e3ef7705992bce042a420c6fd25913aa931e6fd78ad91b6024e0ee
SHA512

7c93c81962a0930821bc972578f1cdd5b0309005d5ef63a52ea28cfd6dab8dac5364b57c5cb9360b3166a724c4c4bbf30d48f78f09b435c7c8b9c8676e8bb859
SSDEEP

6144:8loZM+rIkd8g+EtXHkv/iD4o1me/1+mpusl3ySXLqb8e1mFOi:aoZtL+EP8o1me/1+mpusl3ySXK6

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2696-1-0x0000000000DC0000-0x0000000000E00000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	Bloxtrap.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2704	2696	Bloxtrap.exe	30
PID 2696 wrote to memory of 2704	2696	Bloxtrap.exe	30
PID 2696 wrote to memory of 2704	2696	Bloxtrap.exe	30

C:\Users\Admin\AppData\Local\Temp\Bloxtrap.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxtrap.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/2696-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-3-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download