Extracted

• • Target

    6a856e121efd06bea72dbf93e24570e3c08e9859795e8234492254559f9aff53.exe

  • Size

    257KB

  • MD5

    c30f9465054f33e6dea1a2ba5cb206e7

  • SHA1

    6c2609663a7aa38f738b0104785ab1ba469af013

  • SHA256

    6a856e121efd06bea72dbf93e24570e3c08e9859795e8234492254559f9aff53

  • SHA512

    181eee666cc26508697e50843ccf55e3c46dad0598b1f493d44f1c6dde8ca84df1d77eaecea0f289386a570d49e9aa2c6daa4b3f617659b092912a22adb6dc0d

  • SSDEEP

    6144:floZM+rIkd8g+EtXHkv/iD4u76SecjfUx1gevPehab8e1mZRXLijK7so:doZtL+EP8u76SecjfUx1gevPeIqRWjKL

  Score

  10^/10

  umbraldiscoveryexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2