umbral | 93ce8e3689636df1bf9f269f4e96f0e30f3f7c5848778ad12f82275fd4061f85

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hypnox TB V1.2.exe
Size

239KB
MD5

f998146f650224b7a945c998246c79ca
SHA1

9ab4507aaf84093985febac2d5a28a1f0e00b52e
SHA256

93ce8e3689636df1bf9f269f4e96f0e30f3f7c5848778ad12f82275fd4061f85
SHA512

50a885cf13d60a59b25c3d9a8110feb5ba67b5f2b028b6abe5efac38b27c2ad5be9dd0f345379763b1b034458cebffd63ee4ce33c5a416b6662f004acf4a8224
SSDEEP

6144:rloZMLrIkd8g+EtXHkv/iD4pdeTKInDASZMK7bCQ0b8e1muYZi:poZ0L+EP8pdeTKInDASZMK7bCFjx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4008-1-0x000001BB04CD0000-0x000001BB04D12000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	Hypnox TB V1.2.exe
Token: SeIncreaseQuotaPrivilege	936	wmic.exe
Token: SeSecurityPrivilege	936	wmic.exe
Token: SeTakeOwnershipPrivilege	936	wmic.exe
Token: SeLoadDriverPrivilege	936	wmic.exe
Token: SeSystemProfilePrivilege	936	wmic.exe
Token: SeSystemtimePrivilege	936	wmic.exe
Token: SeProfSingleProcessPrivilege	936	wmic.exe
Token: SeIncBasePriorityPrivilege	936	wmic.exe
Token: SeCreatePagefilePrivilege	936	wmic.exe
Token: SeBackupPrivilege	936	wmic.exe
Token: SeRestorePrivilege	936	wmic.exe
Token: SeShutdownPrivilege	936	wmic.exe
Token: SeDebugPrivilege	936	wmic.exe
Token: SeSystemEnvironmentPrivilege	936	wmic.exe
Token: SeRemoteShutdownPrivilege	936	wmic.exe
Token: SeUndockPrivilege	936	wmic.exe
Token: SeManageVolumePrivilege	936	wmic.exe
Token: 33	936	wmic.exe
Token: 34	936	wmic.exe
Token: 35	936	wmic.exe
Token: 36	936	wmic.exe
Token: SeIncreaseQuotaPrivilege	936	wmic.exe
Token: SeSecurityPrivilege	936	wmic.exe
Token: SeTakeOwnershipPrivilege	936	wmic.exe
Token: SeLoadDriverPrivilege	936	wmic.exe
Token: SeSystemProfilePrivilege	936	wmic.exe
Token: SeSystemtimePrivilege	936	wmic.exe
Token: SeProfSingleProcessPrivilege	936	wmic.exe
Token: SeIncBasePriorityPrivilege	936	wmic.exe
Token: SeCreatePagefilePrivilege	936	wmic.exe
Token: SeBackupPrivilege	936	wmic.exe
Token: SeRestorePrivilege	936	wmic.exe
Token: SeShutdownPrivilege	936	wmic.exe
Token: SeDebugPrivilege	936	wmic.exe
Token: SeSystemEnvironmentPrivilege	936	wmic.exe
Token: SeRemoteShutdownPrivilege	936	wmic.exe
Token: SeUndockPrivilege	936	wmic.exe
Token: SeManageVolumePrivilege	936	wmic.exe
Token: 33	936	wmic.exe
Token: 34	936	wmic.exe
Token: 35	936	wmic.exe
Token: 36	936	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 936	4008	Hypnox TB V1.2.exe	85
PID 4008 wrote to memory of 936	4008	Hypnox TB V1.2.exe	85

C:\Users\Admin\AppData\Local\Temp\Hypnox TB V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Hypnox TB V1.2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4008-1-0x000001BB04CD0000-0x000001BB04D12000-memory.dmp

Filesize
264KB

Download
memory/4008-0-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

Filesize
8KB

Download
memory/4008-2-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-4-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download