umbral

Sharing

Copy URL

Twitter E-mail

General

Target

KraxxStealer-main.zip
Size

1.2MB
Sample

241115-l2r5yssejc
MD5

73222b81f9ef5fc735a5d905a305b22d
SHA1

33135b6ca277c58df56aa490b60383c431905fa0
SHA256

68ea23c1515b2306e607ce7b124f9314b4af9ee2572e23550b3ac1a8dd3b43e6
SHA512

ae927b2882ea7244b6813534916769664cdd41d11e21b667e5b52d6194972418ff418db5e1882eb7ea47a0fb6e8ac94a773bf105e32e0d868e79b2d641b267c7
SSDEEP

24576:U1D05gOqzT1PnVlUP8TBRRtzsmE6fwdQtbF/HfKlrtE8DGuVEEv1/P:15+T17q83HzsmEqtb1KBtEqGeEEv1/P

Score

10^/10

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1304419039795216384/I-1rDDELSZUL7vdbJu9Nq2KvlQflcDT6sU5blXr4EiynR3G0o3w6M7UvOpW7sf-6-2TI

Targets

- Target
  
  KraxxStealer-main.zip
- Size
  
  1.2MB
- MD5
  
  73222b81f9ef5fc735a5d905a305b22d
- SHA1
  
  33135b6ca277c58df56aa490b60383c431905fa0
- SHA256
  
  68ea23c1515b2306e607ce7b124f9314b4af9ee2572e23550b3ac1a8dd3b43e6
- SHA512
  
  ae927b2882ea7244b6813534916769664cdd41d11e21b667e5b52d6194972418ff418db5e1882eb7ea47a0fb6e8ac94a773bf105e32e0d868e79b2d641b267c7
- SSDEEP
  
  24576:U1D05gOqzT1PnVlUP8TBRRtzsmE6fwdQtbF/HfKlrtE8DGuVEEv1/P:15+T17q83HzsmEqtb1KBtEqGeEEv1/P
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  KraxxStealer-main/Kraxx-OS.zip
- Size
  
  1.2MB
- MD5
  
  a2aaa6214c2f1d0014868ae76e2c2a81
- SHA1
  
  02d094eb9bd57fdb80a2c04ec5692d1bb0cd75d1
- SHA256
  
  689abeaf7a22702b1f85de8fe8f4710676ceb96b39e2b11c89e05021b8560fae
- SHA512
  
  bd70040a18fad5a5bfc2484121ba407b27be7e64d6ca0d7e0ed9cd70da1a1a879288ea95c7b5e1bf12822fd8b2557f9a4796e427baa7196c6e5da78dc4878e83
- SSDEEP
  
  24576:Zh04vJrwOVaMr8D/RRbxssEg3sdyd9znHBK17tYPd3GRMYoSVMECRs7D:hJrwOVa48tZxssECd9VK9tgd3GRcSVMs
Score

1^/10
behavioral3 behavioral4
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Kraxx-Builder.exe
- Size
  
  229KB
- MD5
  
  1c615c8e4fc8fbbf2519a03471cdac01
- SHA1
  
  5388ec05cbe0f0928ae7f9be41ed99a5a5607d05
- SHA256
  
  035d79db8e3afcf56dfc240fb3df650409d78ae18d7f7eafdf00d38a5c520fa3
- SHA512
  
  3c624edec97f885aaf06ffa5d0628e453fcb76066524ac7316dbcf85f20ab4605616234b6348c3cad17d8057a6db7ae0b16f8bf44a950326244a98bd1b615ce2
- SSDEEP
  
  6144:tloZMHrIkd8g+EtXHkv/iD48enthv0IH22PxM4daSb8e1m79Ri:voZIL+EP88enthv0IH22PxM4dtYI
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/AssemblyList_4_client.xml
- Size
  
  15KB
- MD5
  
  4a24bad44bce8e1f086da0e75d15b7c7
- SHA1
  
  0c7c45e72c9d2696ee25fbbca726099c041ca455
- SHA256
  
  5e0a298d6a3304f4d6ee2f2c845aa89bd223fc9c7735d58c46362cb4625f85cc
- SHA512
  
  2bc19cc437d4cc3346c4b35e766b0c83e3820c82f1b8a782503eb2f58b54094af15f126c7aeda3b856d317837c76b913679776f600bca721c84b1a20907b402b
- SSDEEP
  
  96:D7J93M9SC/rtM82BWyt3BPGzzj63xzYTDsmRo50:WScpM8X/3smO50
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/AssemblyList_4_extended.xml
- Size
  
  8KB
- MD5
  
  a87b873d20ae123d3ef356b2a971c9df
- SHA1
  
  670f14fd1082341c25ec7926a9794da9d6d43f4f
- SHA256
  
  0550606fb6604bb229f973dc60984754eff1ea3d6d86f64658918b121cfe13ef
- SHA512
  
  8755e2033fd218c2e29ae5d67c6bb1317effd7fa67407f2a9f050a1dafe5644df5ef92a6040a703a525213c9ff13c57dc49d77941db9bc5b22f3fc0644d67637
- SSDEEP
  
  48:3gD/NgfoENgf9+oCWyNg8tNg8PNg8UCNg5fiNg8fENg8iNg81QNg8oENg8FZNg8N:4SoCWjWlVvfpFhFPXztrFoflH
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/TableTextService.dll
- Size
  
  622KB
- MD5
  
  b3bddb053ce15e5ec9e48df330beb1b1
- SHA1
  
  cdf5cb7e72363ca28ac65bfd0e31df271fead97f
- SHA256
  
  c69a3c7b42b0633d5d1bbdbc047223c03eddffedf5929f1f01be6a9f549fff93
- SHA512
  
  4752c66fa99243190c7d7e7d702df7335a130eaa564db4625a671b034728d5603b0ef74c13d8b03f2ee4fc3c07ce87d75a139296ae0ab3118a6d84ac897a7558
- SSDEEP
  
  6144:kgPg7BG99SuyoeJjUjqLqxxT1z66Zs2lbhl5d39rIX/ZZQ7:kgyL3+rhfdtc/ZK7
Score

3^/10

discovery
behavioral11
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/bootmgfw.efi.mui
- Size
  
  75KB
- MD5
  
  eaf7fddc2dd4d7be469911527c27c0ef
- SHA1
  
  88128961e1066493fb28dbd53a1e555126ec883a
- SHA256
  
  488ed6f0deb1d5e93c3c4e16ff29a6f50f0250aa0bf9f051278fcc52efe92428
- SHA512
  
  fdac0a161603184e43d9613c6d1646ddb0288db7ac1829ecdef9b8fcc799f017c36f3068711da2479ccafaee629c98fed925bb3e35a05281384127b0db4eaa12
- SSDEEP
  
  384:xAueYsrVuGdAoEtt7wLSZkqR3MV1JFRF1dk5W/7W+rzBpAv8TXAuOuOxJhSlq44P:lwWpOQ+3RDAuOuOxJhfILp1PQrH
Score

1^/10
behavioral12 behavioral13
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/bootmgr.efi.mui
- Size
  
  75KB
- MD5
  
  7c9382fe4ffd92d9bfd4b81052a30cb7
- SHA1
  
  c0cad6d611da214738e27ca9c88a039f08dd92f7
- SHA256
  
  aaf98f0aeab780be9639091ec65525c92f78d070f4e163aaf48ef5da49e65304
- SHA512
  
  c7c8245fec941d7586ea530f9418fad6a709b3f96af1426e91e52d7a6c6689bc5c63e40a1e97002e20a087824c92d237ea11ab9f03a84bb0f0f228c319792a64
- SSDEEP
  
  384:cAueYsrVuGdAoEtt7wLSZkqR3MV1JFRF1dk5W/7W+rzBpAv8TXAuOuOxJhSlq44l:ywWpOQ+3RDAuOuOxJhfILx1P50
Score

1^/10
behavioral14 behavioral15
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/en-US/TableTextService.dll.mui
- Size
  
  8KB
- MD5
  
  5311e841fd548101e0c7139cb752d512
- SHA1
  
  fe2dbdf7ebb32a45792518184a6a58a35b9cc34e
- SHA256
  
  7e625d9b33abc6724f17961e3f9e4b99102d1f2c41c11c032c8515fa0fc7e826
- SHA512
  
  6ae67553a49f5b1fe8574d216ae877ba714f116f79329e3ffa227080fea2fd0f87247c40af3ea21010097dff736899144e2af8e4e7c5ef156ae9eb59b2b2f7fe
- SSDEEP
  
  96:65QzdcmcVra6xRErFcvdE9xtWH7UD7DA4ztJrXzejcVd+WIz54Ww+:HHAa66F+dExWHQPDA4xJrXz6WIz54WN
Score

1^/10
behavioral16
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Settings/memtest.efi.mui
- Size
  
  43KB
- MD5
  
  23d005204a917de5ccbf3497d7f57ab2
- SHA1
  
  18fc0717730ebf994f0aa045f3e6c79c5b5472f8
- SHA256
  
  7ddc6a0b8989c8d20589875baae58b7e9d793440cf23393959638994da980e5f
- SHA512
  
  b026a11e8e8cc5ddd769847beaa8f64a2603d1cdd18e67a1631f245fc3c927693d0366331030f1e66d0b3f71ef08ceb56badc6dfde47a058b8319deff75fb33c
- SSDEEP
  
  384:fQouJzuN5x0mVZHorzHlvL6WFLW+rzBpRv8TgXLkkvwgvKcvwFNUDBRJHPqslGsZ:oouJzE5wn+8ONU1PHwet
Score

1^/10
behavioral17 behavioral18
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Source/SenseTVM.exe
- Size
  
  2.0MB
- MD5
  
  5ae60c81be6e03ca1c08f267cd5ca7ba
- SHA1
  
  187439bda6672380e1bc7846e23925a9b9752288
- SHA256
  
  09e554fd71e734e16e2d9672eef726510defc57d46c16838e4d38c1fb434a4e5
- SHA512
  
  1fa653166d8d4ae50ac57e4d3999221206473f4f9d4c6c6bb89bf1cc459e3888d8390a68f4951ae6bb7262b76c51c2022e91511917b3b1727295dfd7fd37a675
- SSDEEP
  
  49152:QwmPJOcoFpVcv67O71XtnZoBdtjQDa1fXWgGe:Dlv9WpyXWU
Score

1^/10
behavioral19 behavioral20
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Source/ThirdPartyNotice
- Size
  
  10KB
- MD5
  
  b57fa190ade7e2825198b2d8a3ff8955
- SHA1
  
  40cad7cca13cc4e9f5ae3a4e6cc20535cf12c2c9
- SHA256
  
  2c27f9f1276820dd455adac79fb6bd2af1fcd0179b115174ac95444da8200f6e
- SHA512
  
  ae73d73a37b40af52ff35ca6d7eb02cf1479adf80c26c46902d4d12ad3ce4d8ee0d6b77a71ddb99b1c513a51e6cbf8947ccc08436a2ceea69bdbfd21b96b8423
- SSDEEP
  
  192:PYbCfU2yQHEHBQHFqiWPxrs1rsy/QZ93O0Z782sOrsjrsAC13C3hinCL:PjU2y9hYqiWrs1rsyilF2ursjrsrdsht
Score

1^/10
behavioral21 behavioral22
- Target
  
  Kraxx-Builder/Kraxx-OS-Builder/Source/WATPCSP.dll
- Size
  
  188KB
- MD5
  
  8dad4f7948cd97c61e144e70cf2e73f2
- SHA1
  
  1dbb6eb9553264b3112eb5ca5d8e29dd5018d531
- SHA256
  
  24f8950f914e4a1d7ce9c9c776bd5bcf96a44d55388f153eb3e8f86e199a99e0
- SHA512
  
  8f2dbf9a4cc2281141fd1fbcbeb5301a8310634770e8464a0834ec17165e5bc925b1d19128510a0beecf88df7cbd83ebc233ac397c3dcaf34841f2c57c631fa8
- SSDEEP
  
  3072:X3p+pTbwmZTFXM8wJLZJvjYjQAG6D+vlrPC7+B:nebwmZT1MFZ6D+vlrPC
Score

1^/10
behavioral23
- Target
  
  KraxxStealer-main/README.md
- Size
  
  1KB
- MD5
  
  23a2bf47770eb3a5bd3a1f04fdafba4d
- SHA1
  
  a1fe6ed7c0abbd529537743345f31ad6f4a65643
- SHA256
  
  783edba7ca797c4618c68893551a840427e444ec81ad708aa7e9c1fe150a424d
- SHA512
  
  4821ca2121ec22371e054f7abe69449f48beea6841c2c6f7822ee1aebadfe3874d3881b663446074c99cfd5e367ec52906dceb1f08034da4d7b74e9e96b9b558
Score

3^/10

discovery
behavioral24 behavioral25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Umbral payload

Umbral family

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detect Umbral payload

Umbral

Umbral family

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25