Extracted

• • Target

    Umbral.bat

  • Size

    387KB

  • MD5

    1e183c2ada7d55a0ccf510721415d5bc

  • SHA1

    fdf973e881b0999cfde6e1a4404e0a14fba53aab

  • SHA256

    5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654

  • SHA512

    4b1a3f2e91b01468c219650e8c685bc197cb0fe2907c71db073b4a59d2cfdc91ed7975c1af01de5aed89fa59dd2b17785777e57653b896a4a39f73a65d37ec49

  • SSDEEP

    6144:8idBBBsj84TcfmJNvqNuxdoyw6HWT1uPnCFIv8uOpjMWYYubRJjp03rrHA/APAxL:8idBBV8HolsnC6EUjEOAIdwum+

  Score

  10^/10

  umbraldiscoveryexecutionstealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2