Resubmissions

18-10-2024 16:40

241018-t6hfbayhkl 10

18-10-2024 16:37

241018-t422yaygnm 10

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 16:37

General

  • Target

    Umbral.bin.exe

  • Size

    232KB

  • MD5

    1377d5688f3780885e77a0ec534be5b7

  • SHA1

    91628df86ab2fdf204781d970d0635103a01aa1d

  • SHA256

    f925d39bf8715d44d8558e287076c2783318767b3dda49715147cb38a762c5a2

  • SHA512

    b4fb4e7d708fc1167d193e44ce8b44187e2ac69b8bfa522f7b2e8d9871eebefc6b60e9521aa7e444c3c21b986112b4c2f91ced78d2a9b2bc79b569817c4564c2

  • SSDEEP

    6144:KloZM+rIkd8g+EtXHkv/iD4/fvrsyVtGDTOMdWDjo+b8e1mNoi:0oZtL+EP8/fvrsyVtGDTOMdWDvQ

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.bin.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2820

Network

  • flag-us
    DNS
    gstatic.com
    Umbral.bin.exe
    Remote address:
    8.8.8.8:53
    Request
    gstatic.com
    IN A
    Response
    gstatic.com
    IN A
    142.250.179.227
  • flag-gb
    GET
    https://gstatic.com/generate_204
    Umbral.bin.exe
    Remote address:
    142.250.179.227:443
    Request
    GET /generate_204 HTTP/1.1
    Host: gstatic.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Fri, 18 Oct 2024 16:37:42 GMT
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    ip-api.com
    Umbral.bin.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    Umbral.bin.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 18 Oct 2024 16:37:42 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 5
    Access-Control-Allow-Origin: *
    X-Ttl: 58
    X-Rl: 43
  • 142.250.179.227:443
    https://gstatic.com/generate_204
    tls, http
    Umbral.bin.exe
    752 B
    4.7kB
    9
    9

    HTTP Request

    GET https://gstatic.com/generate_204

    HTTP Response

    204
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    Umbral.bin.exe
    264 B
    266 B
    4
    2

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    gstatic.com
    dns
    Umbral.bin.exe
    57 B
    73 B
    1
    1

    DNS Request

    gstatic.com

    DNS Response

    142.250.179.227

  • 8.8.8.8:53
    ip-api.com
    dns
    Umbral.bin.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2220-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

    Filesize

    4KB

  • memory/2220-1-0x0000000000900000-0x0000000000940000-memory.dmp

    Filesize

    256KB

  • memory/2220-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

    Filesize

    9.9MB

  • memory/2220-3-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

    Filesize

    9.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.