Extracted

• • Target

    gorebox.EXE

  • Size

    75.0MB

  • MD5

    e504465ef30dc4983a1445d636ac4bcd

  • SHA1

    bc1fc4111afa7e3b7f0fdb4b665e9310967c5af0

  • SHA256

    a2d4a359403b49cd17d87d3509d7493f866b9caf729ccf95e433895f2d2d7d81

  • SHA512

    39192e6da7931ce5c9dcee9a058dbe94c2355b7a56651007c1bb7b45bdcc08f2601e2e492a5a515fff1656502cb750f3963fe3c73c85dc842d1a9c11c9fed009

  • SSDEEP

    1572864:anSX8kOiIrPPR2eSq/uIgiR7DM9SKsqeY69ViMUfjPpIDGg7zgyi5Jw1:aSMkOiIrnk5tdiy9Sjt9VUpI6gvc5J

  Score

  10^/10

  umbralevasionexecutionpersistencespywarestealerupx

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Enumerates VirtualBox DLL files

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1