Overview

overview

10

Static

static

10

Umbral.Stealer.zip

windows7-x64

7

Umbral.Stealer.zip

windows10-2004-x64

1

Resubmissions

09-01-2025 19:47

250109-yhpa6syqcx 10

Analysis

  • max time kernel
    10s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.Stealer.zip

  • Size

    3.3MB

  • MD5

    f355889db3ff6bae624f80f41a52e619

  • SHA1

    47f7916272a81d313e70808270c3c351207b890f

  • SHA256

    8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

  • SHA512

    bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb

  • SSDEEP

    98304:XINn7mVoLvbDU48xzliDSjtYV2jg0tsGTplmOhl88uF:mjLvvD8BcSjtAB0zplNl8Z

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Umbral.Stealer.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\7zOCC71B8F6\Umbral.builder.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCC71B8F6\Umbral.builder.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2088 -s 604
        3⤵
          PID:2140
      • C:\Users\Admin\AppData\Local\Temp\7zOCC7CC9E6\Umbral.builder.exe
        "C:\Users\Admin\AppData\Local\Temp\7zOCC7CC9E6\Umbral.builder.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2792 -s 604
          3⤵
            PID:2824

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zOCC71B8F6\Umbral.builder.exe
        Filesize

        114KB

        MD5

        d91fb6867df7e4303d98b5e90faae73c

        SHA1

        496f53ad8cd9381f1c1b577a73e978081002c1db

        SHA256

        bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344

        SHA512

        5dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9

        Download Submit

      • memory/2088-11-0x0000000000E70000-0x0000000000E92000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2792-23-0x00000000009E0000-0x0000000000A02000-memory.dmp

        Filesize

        136KB

        Download