umbral | MCFACODEGEN[.]rar

General

Target

MCFACODEGEN.rar
Size

1.2MB
MD5

69e5611ea942cd21a757560655ccacf2
SHA1

0d2ad44df6dff58c89a6a9c3e6373c99e3b81bfa
SHA256

6f806a1b18c89c3a482ccfb2b525eae695e9ad7c533b4c503aa1c7f3c29fc71b
SHA512

51df06538b27c790fe900feff39a226238bec681311eed9ad1e40067010e2496da174f4b8bb91b89ecc96fd614977d94eb3971e9a8d422d19367d8df35168be3
SSDEEP

24576:NJYoATtIVUnKlWRgMe4xsebNjWjYckZUb1bD+G5A3vIcHP6qAG2eGs1Gb:PA5SUnmThzebNJZUbhKG5iAcv6qAGBy

Score

10^/10

agilenet umbral

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1298608602063437835/JyCfJN4kOZTYSMy3p7C0nzjwBZVeXN-s99bZmxGmhCwtA9ugQjsNEeKH7DXCeDl2AAko

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
static1/unpack001/CODEMCFA.exe	family_umbral

Umbral family
umbral

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
static1/unpack001/Bunifu.Licensing.dll	agile_net

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Bunifu.Licensing.dll
unpack001/CODEMCFA.exe

Files

MCFACODEGEN.rar
.rar

Password: skibidiutrynaratme
Bunifu.Licensing.dll
.dll windows:4 windows x86 arch:x86

Password: skibidiutrynaratme

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CODEMCFA.exe
.exe windows:4 windows x86 arch:x86

Password: skibidiutrynaratme

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 228KB - Virtual size: 228KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: skibidiutrynaratme

Password: skibidiutrynaratme

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: skibidiutrynaratme

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 228KB - Virtual size: 228KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

We care about your privacy.

.text
Size: 1.3MB - Virtual size: 1.3MB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 228KB - Virtual size: 228KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B