umbral | eacb721b092e628a9699924dad19f4ea4ae1f3d7eb5dce85b5dcd16a273cd78b | Triage

Submit
Reports

Overview

overview

Static

static

Umbral.exe

windows7-x64

Umbral.exe

windows10-2004-x64

Sharing

General

Target

Umbral.exe
Size

229KB
Sample

241031-fz7jzayraw
MD5

05396af5253bb6dd42278b146668faac
SHA1

44a769f9800ed7675b6b6bd57a6a123b6dc10371
SHA256

eacb721b092e628a9699924dad19f4ea4ae1f3d7eb5dce85b5dcd16a273cd78b
SHA512

3283964cff79c4fa5319f92bd429c19b0f99ae4a0f518a15882a132177eba60e2ed2ec0fbcfdf273e7e0be646b4f00cee0298a23bef5a83b1985029845f1b916
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4FQpTNbYMTiqL9Y0hU9b8e1msBi:noZtL+EP8FQpTNbYMTiqL9Y0h8w

Score

10^/10

umbral discovery persistence privilege_escalation stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Umbral.exe

Resource

win7-20241010-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Umbral.exe

Resource

win10v2004-20241007-en

umbral discovery persistence privilege_escalation stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1301414253722603540/jg-6zDziHcOTDOKtI8ajj94GfsHIjqSlAXLi1SgBHImM2bg01nh8sCJuz98O7QdqPpkO

Targets

- Target
  
  Umbral.exe
- Size
  
  229KB
- MD5
  
  05396af5253bb6dd42278b146668faac
- SHA1
  
  44a769f9800ed7675b6b6bd57a6a123b6dc10371
- SHA256
  
  eacb721b092e628a9699924dad19f4ea4ae1f3d7eb5dce85b5dcd16a273cd78b
- SHA512
  
  3283964cff79c4fa5319f92bd429c19b0f99ae4a0f518a15882a132177eba60e2ed2ec0fbcfdf273e7e0be646b4f00cee0298a23bef5a83b1985029845f1b916
- SSDEEP
  
  6144:lloZM+rIkd8g+EtXHkv/iD4FQpTNbYMTiqL9Y0hU9b8e1msBi:noZtL+EP8FQpTNbYMTiqL9Y0h8w
Score

10^/10

umbral stealer discovery persistence privilege_escalation
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

umbraldiscoverypersistenceprivilege_escalationstealer

© 2018-2024

Terms | Privacy