umbral | sybersec[.]rar | Triage

Sharing

General

Target

sybersec.rar
Size

1.1MB
MD5

0cf0c7b2beec7b554978a4a8c379c035
SHA1

0c99d38801e2502da75cc33c0a758eb6f50953f4
SHA256

b9dbdd3444445ce02cab79fc62117bf55a61eb921228150e11ed540cf1fcd4e0
SHA512

9f6a14bcf23fbf62894565ea0ed2a4ba1f7a845497b35cb8a7a919fbf70d708328e17204db6062969ed4f202e654d78da2ed6c01f41e37fcf65eacd5e37c68a3
SSDEEP

24576:PoQNfJ088tydtKfrxEV+WVMLa59IGCVtybjJQd:AQ9Jl8ty/KfukoMLi9Ivtgj6

Score

10^/10

botnet umbral

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1311602984152600606/wcG26MMfNLtmUgurpnrq9KfoooNMhJSn62Nzx43I0sekrublXlycBDl0or6UoMIG_Pti

Signatures

Contains strings common to LOLSquad DDoS tools 1 IoCs

Resembles a range of public tools written in C intended for DDoS attacks.

resource	yara_rule
static1/unpack001/nfo-killer	lolsquad_ddos

Detect Umbral payload 1 IoCs

resource	yara_rule
static1/unpack001/cybersec multitool.exe	family_umbral

Umbral family
umbral

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/cybersec multitool.exe

Files

sybersec.rar
.rar
HTTP-RAND.js
.js
HTTP-RAW.js
.js
HTTP-SOCKET.js
.js
Hulk.go
.js
MINECRAFT-SLAM
.elf linux x64
OVERFLOW
.elf linux x64
cybersec multitool.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 403KB - Virtual size: 402KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
destroy.pl
.pl .sh linux
flux
.elf linux x64
god.pl
.pl .sh linux
header.txt
home.pl
.pl .sh linux
http.txt
http1.js
.js
httpflood.go
https-spoof.py
hyper.js
.js
ldap
.elf linux x64
ldap.txt
nfo-killer
.elf linux x64
ntp
.elf linux x64
ntp.txt