umbral

General

Target

launcher.exe.exe
Size

40.0MB
Sample

241206-ngys4s1kcp
MD5

bad6b4ffa6b16bbd802f3f4f887760b2
SHA1

d45d0a086cf87cf14aa129a9b34d5c9f80ab6ae2
SHA256

a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0
SHA512

fc0398c9ab294dc3f379e1129fbb20e35fcbae728a1619aa3c1f316541dbbb717d9662feca11dd2e1f45c814b2debb9468b99830c8ea33ebff47bc474a87cd1c
SSDEEP

786432:IDOEGyqaCfzdbbTBYlx6Tstl7wi48Yi/xOMx75Ss5VR4L50IhbURTq3:ID7glBYyYtxw58rxOMFXRRIhbU1O

Score

10^/10

Malware Config

Targets

- Target
  
  launcher.exe.exe
- Size
  
  40.0MB
- MD5
  
  bad6b4ffa6b16bbd802f3f4f887760b2
- SHA1
  
  d45d0a086cf87cf14aa129a9b34d5c9f80ab6ae2
- SHA256
  
  a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0
- SHA512
  
  fc0398c9ab294dc3f379e1129fbb20e35fcbae728a1619aa3c1f316541dbbb717d9662feca11dd2e1f45c814b2debb9468b99830c8ea33ebff47bc474a87cd1c
- SSDEEP
  
  786432:IDOEGyqaCfzdbbTBYlx6Tstl7wi48Yi/xOMx75Ss5VR4L50IhbURTq3:ID7glBYyYtxw58rxOMFXRRIhbU1O
Score

10^/10

umbral evasion execution persistence stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral1