Extracted

• • Target

    Umbral.exe

  • Size

    229KB

  • MD5

    01e9ef5cd813c3738e9022a585850003

  • SHA1

    e2e6b6c2784bbb7e27ba99ae16c2552e9af83e35

  • SHA256

    d6c6071e9ddf1c01281663073fe2a9fba3d3c4046975becbb0f6f9fa81cab6d3

  • SHA512

    76249812653272bf4de18bb46b28be191d7fb7806a1275bb14d03c5f75ea0e470a44d526fc0fdd9dfc6b357114f81d094b6c2e346a86fd9d3c5de59a06b294d8

  • SSDEEP

    6144:9loZM9rIkd8g+EtXHkv/iD4cG69oOJBi+HaIJtM2jb8e1m7i:foZOL+EP8cG69oOJBi+HaIJtMgR

  Score

  10^/10

  umbraldiscoveryexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2