umbral

General

Target

HotmailChecker.rar
Size

13.4MB
Sample

241204-gwmk3avnhx
MD5

35ea1c7731e236f979e08a137325b9c5
SHA1

946d7b8f3cdaf597af1c4864fc7b3e29146915fd
SHA256

1fdd74b8ece8754712fe0ccc0104a61bf6469174d628f66cd87d9e1249fa5707
SHA512

ed35386e65818ad682fb5c9b60f3ecbf5a8db1cfb1781fee221b9c516089c1def14c68469ba1c650fb075369ca4c46548da3327bafbe20b742d7b593c1dc2e62
SSDEEP

393216:/ABEkVLaMoH0Tg+0Fl+DYpV5q11pKRN12:/qV/o8g+0FlTbSA12

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1313629836123701339/Kt7aN662-PLmBrtOJlGM8i80cBQ0uT9N6Zzzz3QWJ-l36WQOJ1KxRT7UP0SRlWcY91Dk

Targets

- Target
  
  HotmailChecker/Data/Modules/Checker.exe
- Size
  
  487KB
- MD5
  
  bbf26eaf97edcdc7d55df2c17f33ba64
- SHA1
  
  03fa144cdbf85c5ed783f894f801234836d080e9
- SHA256
  
  3686fdc29551a6f3c5df38017e8fea2efdcac7dac7b91be78c6fdbfcfd48ee4b
- SHA512
  
  67e901df80916c3d8328be210847fbacae67bbb14fd4b2e629aaae200837ede5e7acd605a0054b158944bb1aeb65b4ec861a9882a4ec13260657757393618419
- SSDEEP
  
  6144:TloZM+rIkd8g+EtXHkv/iD4712hAmB5KB/Cwhl0mBib8e1m+BJiBN1C4q1q6NO+h:RoZtL+EP8712hAmB5KB/Cwhl0Zzq9LQ
Score

10^/10

umbral stealer discovery execution spyware
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  HotmailChecker/Data/Modules/Checker1.exe
- Size
  
  12.5MB
- MD5
  
  44435e68924ac9bfdfe2a05c20836a0b
- SHA1
  
  41fef94de48e3db13ff4a5f6884127f144ba480d
- SHA256
  
  8abab703a85d9cd8c30e7b8c54d3520c2ddd01882fcf2c043b097c0733008083
- SHA512
  
  710fbcc707a58e90c3aee9affa8c0de2a816c4fc91df2861867b1ee7d13c6eabbb24aef9156d540218d9b537a0a24b76c001041dc4e3ffaea8e22a38ba14fd01
- SSDEEP
  
  196608:o+PlY7HakrIK63UtauZijIXMCHGLLc54i1wN+Q7PIcu9KYK39shSEo3PPYcUMeKk:d4ae63hucsXMCHWUj/cuId9/PYTcsWF
Score

7^/10
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  HotmailChecker/Hotmail Checker.exe
- Size
  
  582KB
- MD5
  
  82c493c58ad0ed2255d1500840d1d75c
- SHA1
  
  24b2997983add8d90e896af2dbdc32cf19895389
- SHA256
  
  325a912d9f9f4878cfc13a45a2da2494b4c4080c39d8a40166eb39c6ef3d24a0
- SHA512
  
  68f91fe3693dffdaadf28ad5dd3719cdfddff6e4729f48774ae336aef97908d8bc2c419aff65a7d4cbe24e2b85ea2f311dfec2de1136ed7fd7374d2d3ead8c88
- SSDEEP
  
  6144:oOaTmuaJ0GFRabVg8O1lFrRawLmKx85EJXlkc3rNPWyXJJy1LDR6qwYelXN1C4q1:oOSmvFobVgZtCKZX97NPWyXgteYILQ
Score

10^/10

umbral discovery execution stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6