umbral | b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d | Triage

Sharing

General

Target

Umbral.bat
Size

468KB
Sample

241027-vx68ra1bpr
MD5

50c1619dde4c59211f2220d19fd7a2ff
SHA1

f89a90307b00ff0bd2733642ea43427bc304c730
SHA256

b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d
SHA512

ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627
SSDEEP

12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq

Score

10^/10

umbral defense_evasion execution stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1289565581565104128/6_mwv0w1S5A0l9XLPkwW6UmUZxdAw3mP7dh5lsWmFsgqgu5kJGEszt1-zAw_BajgNh6i

Targets

- Target
  
  Umbral.bat
- Size
  
  468KB
- MD5
  
  50c1619dde4c59211f2220d19fd7a2ff
- SHA1
  
  f89a90307b00ff0bd2733642ea43427bc304c730
- SHA256
  
  b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d
- SHA512
  
  ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627
- SSDEEP
  
  12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq
Score

10^/10

execution umbral defense_evasion stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

umbraldefense_evasionexecutionstealer