umbral | 1fdd74b8ece8754712fe0ccc0104a61bf6469174d628f66cd87d9e1249fa5707

Analysis

max time kernel
17s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/12/2024, 06:09

Target

HotmailChecker/Data/Modules/Checker.exe
Size

487KB
MD5

bbf26eaf97edcdc7d55df2c17f33ba64
SHA1

03fa144cdbf85c5ed783f894f801234836d080e9
SHA256

3686fdc29551a6f3c5df38017e8fea2efdcac7dac7b91be78c6fdbfcfd48ee4b
SHA512

67e901df80916c3d8328be210847fbacae67bbb14fd4b2e629aaae200837ede5e7acd605a0054b158944bb1aeb65b4ec861a9882a4ec13260657757393618419
SSDEEP

6144:TloZM+rIkd8g+EtXHkv/iD4712hAmB5KB/Cwhl0mBib8e1m+BJiBN1C4q1q6NO+h:RoZtL+EP8712hAmB5KB/Cwhl0Zzq9LQ

Score

10^/10

umbral stealer

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2408-1-0x0000000000CC0000-0x0000000000D40000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	Checker.exe

C:\Users\Admin\AppData\Local\Temp\HotmailChecker\Data\Modules\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\HotmailChecker\Data\Modules\Checker.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

memory/2408-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/2408-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-3-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2408-4-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download