umbral | e8ca7b16e9cf6d75c2cda06a34f001d9da94a2de407758837aa77dc5d79b22f9 | Triage

Submit
Reports

Overview

overview

Static

static

3

Slinky (infected).zip

windows10-2004-x64

Sharing

General

Target

Slinky (infected).zip
Size

35.0MB
Sample

241230-ll69yaxkev
MD5

dd023f6d41f8f2f06f959da73f6155de
SHA1

64c0cb253073cb4314a6b8491d05e6338d41b6c1
SHA256

e8ca7b16e9cf6d75c2cda06a34f001d9da94a2de407758837aa77dc5d79b22f9
SHA512

04dbd52a1f19623d14d4d501840690a107b3b8141404cccda5b5477a5bb60ef4e5eea5e6954305b5d34382a38894dc27bfe0b2fa1b90b15ddea9ec1475915380
SSDEEP

786432:JFUtju4TxpFDi94Z9dF76v6NhEzGZ1I73hsSACyeCBDC:nYjra9mtDVIrhHvoC

Score

10^/10

umbral execution spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Slinky (infected).zip

Resource

win10v2004-20241007-en

umbral execution spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Slinky (infected).zip
- Size
  
  35.0MB
- MD5
  
  dd023f6d41f8f2f06f959da73f6155de
- SHA1
  
  64c0cb253073cb4314a6b8491d05e6338d41b6c1
- SHA256
  
  e8ca7b16e9cf6d75c2cda06a34f001d9da94a2de407758837aa77dc5d79b22f9
- SHA512
  
  04dbd52a1f19623d14d4d501840690a107b3b8141404cccda5b5477a5bb60ef4e5eea5e6954305b5d34382a38894dc27bfe0b2fa1b90b15ddea9ec1475915380
- SSDEEP
  
  786432:JFUtju4TxpFDi94Z9dF76v6NhEzGZ1I73hsSACyeCBDC:nYjra9mtDVIrhHvoC
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralexecutionspywarestealer

© 2018-2025

Terms | Privacy