umbral | 8bcefbc968d466cae606529d1ea16db2d177f39d2a7b3c84e761b60d4889f609 | Triage

Analysis

max time kernel
0s
max time network
21s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
24-10-2024 23:32

Sharing

Report Analysis Logs

General

Target

five m password.exe
Size

254KB
MD5

001edf582642b132a2109bd4ab674960
SHA1

5871e99668fe1d73f1d7d3c0eaee57db3238a5af
SHA256

8bcefbc968d466cae606529d1ea16db2d177f39d2a7b3c84e761b60d4889f609
SHA512

279a8171909fadd450dc2ed7226420983e6acfdc4ad49932ef8b25012f3346b5a93c4a332cef3bc00d2ca6ce0c12ecf81320aa1594dab946b456cd639076e7dd
SSDEEP

6144:K4oZoAeVHPtHgTIAaZgCwDx7axHU0unC28ejI8D7:xoZyHPvWCwjXCsIy

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3552-1-0x0000028913380000-0x00000289133C6000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	five m password.exe

C:\Users\Admin\AppData\Local\Temp\five m password.exe
"C:\Users\Admin\AppData\Local\Temp\five m password.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3552-0-0x00007FF8ED503000-0x00007FF8ED504000-memory.dmp

Filesize
4KB

Download
memory/3552-1-0x0000028913380000-0x00000289133C6000-memory.dmp

Filesize
280KB

Download
memory/3552-2-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp

Filesize
9.9MB

Download
memory/3552-4-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp

Filesize
9.9MB

Download