umbral | 98d6a942ccc041bb0534b401fef09d82b4d2a4690673c325217457e625e6259b | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

CounterAtt...07.exe

windows7-x64

CounterAtt...07.exe

windows10-2004-x64

Sharing

General

Target

CounterAttack1.3.07.exe
Size

4.0MB
Sample

250109-vf5ctsxkek
MD5

768fac5fc9b1a6723ec5e88643cfa69b
SHA1

ecadbe36d1526e2564eda430956b23d41b08e41a
SHA256

98d6a942ccc041bb0534b401fef09d82b4d2a4690673c325217457e625e6259b
SHA512

e4219e87335cccf156828c9271b6e619fc2f3ad848eb3a82ddc683679efb86e4575b2c0325ede1f3a06a533cb5bbdce75bd227ff46ee309902ba7e1554411690
SSDEEP

49152:NNEVtO1U1y1DDDDDD7Llngq7NNMqU0p2Vhk9aQNEVtO1U1y1DDDDDD7Llngq7NN0:NNEVJyZlng4p2VeNEVJyZlng4p2VMg

Score

10^/10

umbral discovery execution spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

CounterAttack1.3.07.exe

Resource

win7-20240903-en

umbral discovery execution spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

CounterAttack1.3.07.exe

Resource

win10v2004-20241007-en

umbral discovery execution spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326955608112496710/UQehMk_daQ2YbkYBZ11umbBWXbi1b3G49GJ1zVYdBwPGpiZwYf8UJiTlt6xSrBCEwhJ_

Targets

- Target
  
  CounterAttack1.3.07.exe
- Size
  
  4.0MB
- MD5
  
  768fac5fc9b1a6723ec5e88643cfa69b
- SHA1
  
  ecadbe36d1526e2564eda430956b23d41b08e41a
- SHA256
  
  98d6a942ccc041bb0534b401fef09d82b4d2a4690673c325217457e625e6259b
- SHA512
  
  e4219e87335cccf156828c9271b6e619fc2f3ad848eb3a82ddc683679efb86e4575b2c0325ede1f3a06a533cb5bbdce75bd227ff46ee309902ba7e1554411690
- SSDEEP
  
  49152:NNEVtO1U1y1DDDDDD7Llngq7NNMqU0p2Vhk9aQNEVtO1U1y1DDDDDD7Llngq7NN0:NNEVJyZlng4p2VeNEVJyZlng4p2VMg
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionspywarestealer

behavioral2

umbraldiscoveryexecutionspywarestealer

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.