umbral | 331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8

Analysis

max time kernel
91s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/01/2025, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resembleC2.exe
Size

128KB
MD5

4c8044c83f60465eae3cc16d7c858085
SHA1

bc837ba36a8f244283483210215a11607f05fb63
SHA256

331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
SHA512

f4783ae1591dafc44b1731c34dfced82e5285099a4066b6492e063b1ca5edb4a0916fcad0617b38c0fc754c304d932879cf3014bfce83c0b9a7219f8bc737432
SSDEEP

3072:oRt4KXzdjBFUxzV4NsFYGvL9JjyVcUuyTRc8R:q4gRjBF4SKFYMLbjxUBRc8

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001d00000002aaf6-22.dat	family_umbral
behavioral2/memory/1948-30-0x000002394C580000-0x000002394C5C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4708	powershell.exe
4712	powershell.exe
2452	powershell.exe
3284	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	MoonHub.exe

Executes dropped EXE 2 IoCs

pid	Process
4244	6z2guuz0ldkdgc1o.exe
1948	MoonHub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	0.tcp.eu.ngrok.io
3	discord.com
8	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4936	cmd.exe
4872	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3444	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	resembleC2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4872	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1948	MoonHub.exe
4708	powershell.exe
4708	powershell.exe
4712	powershell.exe
4712	powershell.exe
2452	powershell.exe
2452	powershell.exe
4904	powershell.exe
4904	powershell.exe
3284	powershell.exe
3284	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	6z2guuz0ldkdgc1o.exe
Token: SeDebugPrivilege	1948	MoonHub.exe
Token: SeIncreaseQuotaPrivilege	3788	wmic.exe
Token: SeSecurityPrivilege	3788	wmic.exe
Token: SeTakeOwnershipPrivilege	3788	wmic.exe
Token: SeLoadDriverPrivilege	3788	wmic.exe
Token: SeSystemProfilePrivilege	3788	wmic.exe
Token: SeSystemtimePrivilege	3788	wmic.exe
Token: SeProfSingleProcessPrivilege	3788	wmic.exe
Token: SeIncBasePriorityPrivilege	3788	wmic.exe
Token: SeCreatePagefilePrivilege	3788	wmic.exe
Token: SeBackupPrivilege	3788	wmic.exe
Token: SeRestorePrivilege	3788	wmic.exe
Token: SeShutdownPrivilege	3788	wmic.exe
Token: SeDebugPrivilege	3788	wmic.exe
Token: SeSystemEnvironmentPrivilege	3788	wmic.exe
Token: SeRemoteShutdownPrivilege	3788	wmic.exe
Token: SeUndockPrivilege	3788	wmic.exe
Token: SeManageVolumePrivilege	3788	wmic.exe
Token: 33	3788	wmic.exe
Token: 34	3788	wmic.exe
Token: 35	3788	wmic.exe
Token: 36	3788	wmic.exe
Token: SeIncreaseQuotaPrivilege	3788	wmic.exe
Token: SeSecurityPrivilege	3788	wmic.exe
Token: SeTakeOwnershipPrivilege	3788	wmic.exe
Token: SeLoadDriverPrivilege	3788	wmic.exe
Token: SeSystemProfilePrivilege	3788	wmic.exe
Token: SeSystemtimePrivilege	3788	wmic.exe
Token: SeProfSingleProcessPrivilege	3788	wmic.exe
Token: SeIncBasePriorityPrivilege	3788	wmic.exe
Token: SeCreatePagefilePrivilege	3788	wmic.exe
Token: SeBackupPrivilege	3788	wmic.exe
Token: SeRestorePrivilege	3788	wmic.exe
Token: SeShutdownPrivilege	3788	wmic.exe
Token: SeDebugPrivilege	3788	wmic.exe
Token: SeSystemEnvironmentPrivilege	3788	wmic.exe
Token: SeRemoteShutdownPrivilege	3788	wmic.exe
Token: SeUndockPrivilege	3788	wmic.exe
Token: SeManageVolumePrivilege	3788	wmic.exe
Token: 33	3788	wmic.exe
Token: 34	3788	wmic.exe
Token: 35	3788	wmic.exe
Token: 36	3788	wmic.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4244	6z2guuz0ldkdgc1o.exe
Token: SeIncreaseQuotaPrivilege	5000	wmic.exe
Token: SeSecurityPrivilege	5000	wmic.exe
Token: SeTakeOwnershipPrivilege	5000	wmic.exe
Token: SeLoadDriverPrivilege	5000	wmic.exe
Token: SeSystemProfilePrivilege	5000	wmic.exe
Token: SeSystemtimePrivilege	5000	wmic.exe
Token: SeProfSingleProcessPrivilege	5000	wmic.exe
Token: SeIncBasePriorityPrivilege	5000	wmic.exe
Token: SeCreatePagefilePrivilege	5000	wmic.exe
Token: SeBackupPrivilege	5000	wmic.exe
Token: SeRestorePrivilege	5000	wmic.exe
Token: SeShutdownPrivilege	5000	wmic.exe
Token: SeDebugPrivilege	5000	wmic.exe
Token: SeSystemEnvironmentPrivilege	5000	wmic.exe
Token: SeRemoteShutdownPrivilege	5000	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
752	OpenWith.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4244	3604	resembleC2.exe	77
PID 3604 wrote to memory of 4244	3604	resembleC2.exe	77
PID 3604 wrote to memory of 1948	3604	resembleC2.exe	80
PID 3604 wrote to memory of 1948	3604	resembleC2.exe	80
PID 1948 wrote to memory of 3788	1948	MoonHub.exe	81
PID 1948 wrote to memory of 3788	1948	MoonHub.exe	81
PID 1948 wrote to memory of 4716	1948	MoonHub.exe	83
PID 1948 wrote to memory of 4716	1948	MoonHub.exe	83
PID 1948 wrote to memory of 4708	1948	MoonHub.exe	85
PID 1948 wrote to memory of 4708	1948	MoonHub.exe	85
PID 1948 wrote to memory of 4712	1948	MoonHub.exe	87
PID 1948 wrote to memory of 4712	1948	MoonHub.exe	87
PID 1948 wrote to memory of 2452	1948	MoonHub.exe	89
PID 1948 wrote to memory of 2452	1948	MoonHub.exe	89
PID 1948 wrote to memory of 4904	1948	MoonHub.exe	91
PID 1948 wrote to memory of 4904	1948	MoonHub.exe	91
PID 1948 wrote to memory of 5000	1948	MoonHub.exe	93
PID 1948 wrote to memory of 5000	1948	MoonHub.exe	93
PID 1948 wrote to memory of 1848	1948	MoonHub.exe	95
PID 1948 wrote to memory of 1848	1948	MoonHub.exe	95
PID 1948 wrote to memory of 5028	1948	MoonHub.exe	97
PID 1948 wrote to memory of 5028	1948	MoonHub.exe	97
PID 1948 wrote to memory of 3284	1948	MoonHub.exe	99
PID 1948 wrote to memory of 3284	1948	MoonHub.exe	99
PID 1948 wrote to memory of 3444	1948	MoonHub.exe	101
PID 1948 wrote to memory of 3444	1948	MoonHub.exe	101
PID 1948 wrote to memory of 4936	1948	MoonHub.exe	103
PID 1948 wrote to memory of 4936	1948	MoonHub.exe	103
PID 4936 wrote to memory of 4872	4936	cmd.exe	105
PID 4936 wrote to memory of 4872	4936	cmd.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\resembleC2.exe
"C:\Users\Admin\AppData\Local\Temp\resembleC2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe
  "C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
  "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
    3⤵
    - Views/modifies file attributes
    PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MoonHub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1848
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3284
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3444
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
213c5f720bf9ceb19847d8ca8f31027d

SHA1
f6006d0e4278dfbeab648802432b38d6a7d8b04a

SHA256
656e7fa022a6d0cab97426b8331e7f98396df0f3e5481d87b59ba7a113c3fbb1

SHA512
8e3bcb97316764d5109f7dbb9a639827aa8a8b2af1c7fa85a3ae22c3c18c81ab4f91b60947cde2bff5df5d0c8882c3dd43a7e4030388c44e0e6afb5184535b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe

Filesize
45KB

MD5
8c7d2f0a936dbe6d0899d40171ffb668

SHA1
0b22fcd904f3b0fa2555a32a2635423668fc4616

SHA256
85f5f5acb54c30efd4f84c0f11c834b7dab98c5bb7357bddcd29fbe5babc4db6

SHA512
463a48ec2752fd002e82dfe555abd03fc666a523da99e0e848788eeff6f98d06d36a360cfd7ad70d342bb4c90a49131a3428f1404d17e04a7fe5a1022c1faa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoonHub.exe

Filesize
231KB

MD5
f70b5e56a09af292d4e909c547f9c8c0

SHA1
577883bdbe8dc9582e15e7a1212b1fe432bafce3

SHA256
8fd22c5acb3144dbaa5ab3f9dd5901eb6f3beef67e72ea431246c6a790c067de

SHA512
e54ccb56aa6473abd3530493933d5164f2dff02076e0f03443382f02d177a52e318d8d0f432e6a3fb5620eaffd09f2dbf6ccbf9698ba149b149c594fa162d879

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvvfnmhj.p3z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1948-94-0x0000023966E10000-0x0000023966E22000-memory.dmp

Filesize
72KB

Download
memory/1948-93-0x0000023966CE0000-0x0000023966CEA000-memory.dmp

Filesize
40KB

Download
memory/1948-56-0x0000023966D40000-0x0000023966DB6000-memory.dmp

Filesize
472KB

Download
memory/1948-57-0x0000023966DC0000-0x0000023966E10000-memory.dmp

Filesize
320KB

Download
memory/1948-58-0x0000023966D20000-0x0000023966D3E000-memory.dmp

Filesize
120KB

Download
memory/1948-30-0x000002394C580000-0x000002394C5C0000-memory.dmp

Filesize
256KB

Download
memory/3604-31-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

Filesize
10.8MB

Download
memory/3604-12-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

Filesize
10.8MB

Download
memory/3604-1-0x0000000000E40000-0x0000000000E66000-memory.dmp

Filesize
152KB

Download
memory/3604-0-0x00007FFDA3DE3000-0x00007FFDA3DE5000-memory.dmp

Filesize
8KB

Download
memory/4244-17-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

Filesize
10.8MB

Download
memory/4244-15-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/4244-111-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

Filesize
10.8MB

Download
memory/4244-116-0x0000000000DE0000-0x0000000000EAA000-memory.dmp

Filesize
808KB

Download
memory/4708-40-0x000002216C8D0000-0x000002216C8F2000-memory.dmp

Filesize
136KB

Download