umbral | e88b3a06ac0cbf4130b1c66dde276a4062f472a71d2bf72048ffb577318d5979 | Triage

Sharing

General

Target

GeoLocate (1).rar
Size

316KB
Sample

241011-1lqphszfmk
MD5

5f580514f24c6991b0fb893d71cd7183
SHA1

f2f1a6efdfae8de7be414e8438119a76fd13d891
SHA256

e88b3a06ac0cbf4130b1c66dde276a4062f472a71d2bf72048ffb577318d5979
SHA512

c5b042b1b329ccb9c5761f579c64cd410fca20ab6ae10982c72b8332dde67cc9a4ee77ab1278514eb041c2b6eec911ddf53191c9d8076c886cae3ceb21d488c0
SSDEEP

6144:ZLNW7iZ5uKnKQ4TuV1sU4URDAHPgNtUlqTz1vAWCEBlE2kw6L:xNW7e5Kvc14UR9UluIWCYlE2Z6L

Score

10^/10

umbral discovery stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1286714539492249691/WGN7-dFwgZ0rCdSawTA_6w4aqFusamrpnEHJq2mpQA-uVYCCW9OCO2W1dKDE0JeS5MPw

Targets

- Target
  
  GeoLocate (1)/GeoLocate/Src/Files/skid.exe
- Size
  
  230KB
- MD5
  
  de2d4e3d82dc91ee44c91793de896c7a
- SHA1
  
  3b8db665d3666be6a4234c801b9ca93ced36655e
- SHA256
  
  2744f1315bfa21aef381540d3ad53bc90cf15a8513905aba442b4610e8f0c337
- SHA512
  
  6a257e6df13bd6dcc1452fa692515b955896f1141aad84110ceaad5a3a929607586c849bcfdb161d648e89c53d747a39e564551172fd36c1e440618346b7b40f
- SSDEEP
  
  6144:jloZM+rIkd8g+EtXHkv/iD4Ff6Cj5nsAv7OXZkQlPJXb8e1mq/i:BoZtL+EP8t6Cj5nsAv7OXZkQllNq
Score

10^/10

umbral stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  GeoLocate (1)/GeoLocate/Src/GeoLocate.exe
- Size
  
  10KB
- MD5
  
  81f451dcb5fd406bcb73d4af52c10785
- SHA1
  
  7e66bfd724187aa1eb7fb312bc6b9bff6d675d0c
- SHA256
  
  1a2b8c6b26adfec263c6b903a6db7307ae98e2a4d17a7feea72ed4fdfafac76d
- SHA512
  
  a135c2472063cc19fca2832ce464d436fc6efcb4e9b1ad5f3fa6752e63f93d40dee8bb6ebd86016de79607c2543f563cfd7ca7b69d1941017548482982613596
- SSDEEP
  
  192:zqB+ypmtM8OrGq8W+drdDWmfoKXVbqU+qi:zKz1ffW9Vmq
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  GeoLocate (1)/GeoLocate/Src/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral5 behavioral6
- Target
  
  GeoLocate (1)/GeoLocate/Start.bat
- Size
  
  65B
- MD5
  
  35fe1bc3ce269544b91a4f9d224627c6
- SHA1
  
  6c84b83ed36f95b805687e5c500e44faf0d144db
- SHA256
  
  6ed72f86689c84cc2f2680a99d47dd92a4dc9941ff483530814148a587e729c7
- SHA512
  
  aa72112556953f27f84e1b97de54574776a5043e924caf0935fac3db4c0c6a13db4a85467f7df0755667860b591ae50252358e72374a766a93a18ecfb3ec1403
Score

10^/10

umbral discovery stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

umbraldiscoverystealer

behavioral8

umbraldiscoverystealer