umbral | 5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

Umbral.bat

windows10-ltsc 2021-x64

Umbral.bat

windows11-21h2-x64

Resubmissions

11/01/2025, 02:53 UTC

250111-ddkf7ssrap 10

Sharing

General

Target

Umbral.bat
Size

387KB
Sample

250111-ddkf7ssrap
MD5

1e183c2ada7d55a0ccf510721415d5bc
SHA1

fdf973e881b0999cfde6e1a4404e0a14fba53aab
SHA256

5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654
SHA512

4b1a3f2e91b01468c219650e8c685bc197cb0fe2907c71db073b4a59d2cfdc91ed7975c1af01de5aed89fa59dd2b17785777e57653b896a4a39f73a65d37ec49
SSDEEP

6144:8idBBBsj84TcfmJNvqNuxdoyw6HWT1uPnCFIv8uOpjMWYYubRJjp03rrHA/APAxL:8idBBV8HolsnC6EUjEOAIdwum+

Score

10^/10

umbral discovery execution stealer

Static task

static1

Behavioral task

behavioral1

Sample

Umbral.bat

Resource

win10ltsc2021-20241211-en

umbral discovery execution stealer

windows10-ltsc 2021-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

Umbral.bat

Resource

win11-20241007-en

umbral discovery execution stealer

windows11-21h2-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1315812787699585118/w2lqDrVQqtFwk0uhRh-_CNIYMagyoPfqPEpCtbHgfK7cFpwIVOyIa3juwBy7vnR8Bh0g

Targets

- Target
  
  Umbral.bat
- Size
  
  387KB
- MD5
  
  1e183c2ada7d55a0ccf510721415d5bc
- SHA1
  
  fdf973e881b0999cfde6e1a4404e0a14fba53aab
- SHA256
  
  5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654
- SHA512
  
  4b1a3f2e91b01468c219650e8c685bc197cb0fe2907c71db073b4a59d2cfdc91ed7975c1af01de5aed89fa59dd2b17785777e57653b896a4a39f73a65d37ec49
- SSDEEP
  
  6144:8idBBBsj84TcfmJNvqNuxdoyw6HWT1uPnCFIv8uOpjMWYYubRJjp03rrHA/APAxL:8idBBV8HolsnC6EUjEOAIdwum+
Score

10^/10

umbral discovery execution stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionstealer

behavioral2

umbraldiscoveryexecutionstealer

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.