8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

Analysis

max time kernel
47s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.Stealer.zip
Size

3.3MB
MD5

f355889db3ff6bae624f80f41a52e619
SHA1

47f7916272a81d313e70808270c3c351207b890f
SHA256

8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
SHA512

bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb
SSDEEP

98304:XINn7mVoLvbDU48xzliDSjtYV2jg0tsGTplmOhl88uF:mjLvvD8BcSjtAB0zplNl8Z

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	Umbral.builder.exe

Obfuscated with Agile.Net obfuscator 16 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001900000002aae6-101.dat	agile_net
behavioral1/memory/2332-102-0x0000017FF24C0000-0x0000017FF24E0000-memory.dmp	agile_net
behavioral1/files/0x001900000002ab0b-103.dat	agile_net
behavioral1/memory/2332-104-0x0000017FF24E0000-0x0000017FF2500000-memory.dmp	agile_net
behavioral1/files/0x001900000002aaf8-105.dat	agile_net
behavioral1/memory/2332-106-0x0000017FF2F00000-0x0000017FF2F6E000-memory.dmp	agile_net
behavioral1/memory/2332-114-0x0000017FF2520000-0x0000017FF253E000-memory.dmp	agile_net
behavioral1/files/0x001900000002aae9-113.dat	agile_net
behavioral1/memory/2332-112-0x0000017FF2370000-0x0000017FF2380000-memory.dmp	agile_net
behavioral1/files/0x001000000002ab07-111.dat	agile_net
behavioral1/memory/2332-110-0x0000017FF2D60000-0x0000017FF2DBA000-memory.dmp	agile_net
behavioral1/files/0x001900000002aae5-109.dat	agile_net
behavioral1/memory/2332-108-0x0000017FF2360000-0x0000017FF236E000-memory.dmp	agile_net
behavioral1/files/0x001900000002aaeb-107.dat	agile_net
behavioral1/files/0x001c00000002aae4-116.dat	agile_net
behavioral1/memory/2332-117-0x0000017FF30C0000-0x0000017FF320A000-memory.dmp	agile_net

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe
2332	Umbral.builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3324	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3324	7zFM.exe
Token: 35	3324	7zFM.exe
Token: SeSecurityPrivilege	3324	7zFM.exe
Token: SeDebugPrivilege	2332	Umbral.builder.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3324	7zFM.exe
3324	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Umbral.Stealer.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3324

C:\Users\Admin\Desktop\Umbral.builder.exe
"C:\Users\Admin\Desktop\Umbral.builder.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Bunifu.Licensing.dll

Filesize
1.3MB

MD5
2b2740e0c34a46de31cf9da8a75d77cf

SHA1
242324f1112e6387cda41686291b6e9a415eeb8c

SHA256
a9be91cae167702885a5ca74273db779e3e391e2e604cc03779ed403c53ebe43

SHA512
605eb300b159e6ed2ee872b6ee378eed7dde6541000221fcd94d52057be91cb3c7dd65c7203f05e0718303b157b6fb941498b5e653501f97f0417d459da6bc40

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.1.5.3.dll

Filesize
342KB

MD5
41c216d27c71a227774e680e95e99f31

SHA1
0a2a93d4ecbf4bbec2faf110066c6b4472b0dbf5

SHA256
012d717b4ac00c3686a772757f49c1908e223624e3974314cdb9fc9291073305

SHA512
e355ba11e41b668e4459f709e87c3e212c8986ea894791d9155791ea9d7315372fb51531eb69204ed2ee38e242de7629e4a2f090c05bf9deeea9ea965ffaf651

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuButton.dll

Filesize
107KB

MD5
21f999e5ac72a16077511d41590822de

SHA1
d8bb1a8a291f73cdf2b5658b2b65736c87db19dd

SHA256
2a62c78f1f0db2e3258135b50f7885e6734c31c74a8f2f5782f285aa268c2f71

SHA512
e04fe31870f266d772829053a6bb210a9513ff5c8c0f9a3a267ddbe1875125496caa602baf44a4e241ef84d933bd55b79af43d5871ed10c81711adecee78b8e3

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuCheckBox.dll

Filesize
102KB

MD5
ef11f59a9381df17d7ab94434f79f260

SHA1
ec11e46a636fe3927fd5fa7c30be65b958853ef0

SHA256
390252aeb6fd76a954a03853c3d883e0360dc8b3f2cf8cfed5ba94e4e5a24da4

SHA512
612b1b0f9204c605ff5e9b91816e674cdaea71fa69f81a5a7f475bf1cc8d5e12687deb1b0118b07b3d7e4764adede0576f8fc799f8155a65a70e5dafff50f73d

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuColorTransition.dll

Filesize
38KB

MD5
539d803013c0b1592d0e17a740d72687

SHA1
b0ce15e0f096d027b1d1482afa9d93bafd160f7a

SHA256
500adece1fba76dfb2fa628de9886a2661ed1a4e58a7717a5fee607206bb1d81

SHA512
77d8ab7a949db41a79371cf2ebd5d67bd4a38dd040de0073c878f50b2a6409fae2dc5db7cbf375fbc1bc571838b0a6d4848bdecc1420d91633b878585c94b9dd

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuLabel.dll

Filesize
420KB

MD5
73ca0338c9c3b7901d3621b346c76a7a

SHA1
79d26ee6e1bf0beb2ee0593562592de8ff01935b

SHA256
a505193910f7b8fd6123c00bb437bff3d2a4f28c970e24207d395554765e6ad4

SHA512
53e0b84dffbec8e465955bc91f1207ba56a55543ba3c00c66997b3ee3d4cb904e027915a12f7a9dc79ffef4cde633c9b7543436c4ab97785ca2169bc3d4aeede

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuShadowPanel.dll

Filesize
45KB

MD5
ebaf1a6efa8c7a04d174be7e0df602a7

SHA1
ce08c80e52b6cf3f62ba82408d8f32ae6bcef0d8

SHA256
1858b16074d7f9b73f462e3adcc77309800594fa96f2e0904c810eda4eaf5e86

SHA512
4ffd5dcb59a4a03273c4e88047c7d398f098302b9485d07cf5549ca0d72467102aafa69298e248250df154a8b09f7560e634cca9cb1af2838baf3965aa645b31

Download Submit
C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuTextBox.dll

Filesize
112KB

MD5
fd2042c49df3e74e096b8cee8cc9fe43

SHA1
4ccdb0e13c24fb71f502d50e34f00c39bcacf307

SHA256
4569393e1aad7498c6a7c8a84f79d0cd7a1d0656e912d0ddb607b61163673976

SHA512
c93ad9cb411c311b0feeefdf2089c0c13098c7d2bab56345f4e9a7fc515965a3893c613d494adbbb066801eeb3dc32237a8322f7a5f876284a06b447efdad641

Download Submit
C:\Users\Admin\Desktop\Umbral.builder.exe

Filesize
114KB

MD5
d91fb6867df7e4303d98b5e90faae73c

SHA1
496f53ad8cd9381f1c1b577a73e978081002c1db

SHA256
bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344

SHA512
5dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9

Download Submit
C:\Users\Admin\Desktop\Umbral.builder.exe.config

Filesize
163B

MD5
dccd44fb11b8e4ebdfb822e809a54b6f

SHA1
1889d5ae8c7c70c051cbde104af6e0f31f8c1b63

SHA256
6862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158

SHA512
dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50

Download Submit
memory/2332-104-0x0000017FF24E0000-0x0000017FF2500000-memory.dmp

Filesize
128KB

Download
memory/2332-99-0x00007FFF95453000-0x00007FFF95455000-memory.dmp

Filesize
8KB

Download
memory/2332-115-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download
memory/2332-112-0x0000017FF2370000-0x0000017FF2380000-memory.dmp

Filesize
64KB

Download
memory/2332-106-0x0000017FF2F00000-0x0000017FF2F6E000-memory.dmp

Filesize
440KB

Download
memory/2332-110-0x0000017FF2D60000-0x0000017FF2DBA000-memory.dmp

Filesize
360KB

Download
memory/2332-102-0x0000017FF24C0000-0x0000017FF24E0000-memory.dmp

Filesize
128KB

Download
memory/2332-108-0x0000017FF2360000-0x0000017FF236E000-memory.dmp

Filesize
56KB

Download
memory/2332-100-0x0000017FF06E0000-0x0000017FF0702000-memory.dmp

Filesize
136KB

Download
memory/2332-114-0x0000017FF2520000-0x0000017FF253E000-memory.dmp

Filesize
120KB

Download
memory/2332-117-0x0000017FF30C0000-0x0000017FF320A000-memory.dmp

Filesize
1.3MB

Download
memory/2332-118-0x0000017FF3210000-0x0000017FF3326000-memory.dmp

Filesize
1.1MB

Download
memory/2332-119-0x0000017FF2D00000-0x0000017FF2D30000-memory.dmp

Filesize
192KB

Download
memory/2332-120-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download
memory/2332-121-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download
memory/2332-122-0x00007FFF95453000-0x00007FFF95455000-memory.dmp

Filesize
8KB

Download
memory/2332-123-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download
memory/2332-124-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download
memory/2332-125-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download
memory/2332-127-0x00007FFF95450000-0x00007FFF95F12000-memory.dmp

Filesize
10.8MB

Download