Overview

overview

10

Static

static

3

OblivionCh....1.rar

windows11-21h2-x64

10

OblivionCh...s.admx

windows11-21h2-x64

3

OblivionCh...er.pdb

windows11-21h2-x64

3

OblivionCh...ui.ini

windows11-21h2-x64

3

OblivionCh...n.json

windows11-21h2-x64

3

OblivionCh...ingw.h

windows11-21h2-x64

3

OblivionCh...sert.h

windows11-21h2-x64

3

OblivionCh...onio.h

windows11-21h2-x64

3

OblivionCh...type.h

windows11-21h2-x64

3

OblivionCh.../dir.h

windows11-21h2-x64

3

OblivionCh...rect.h

windows11-21h2-x64

3

OblivionCh...rent.h

windows11-21h2-x64

3

OblivionCh.../dos.h

windows11-21h2-x64

3

OblivionCh...rrno.h

windows11-21h2-x64

3

OblivionCh...xcpt.h

windows11-21h2-x64

3

OblivionCh...cntl.h

windows11-21h2-x64

3

OblivionCh...fenv.h

windows11-21h2-x64

3

OblivionCh...loat.h

windows11-21h2-x64

3

OblivionCh...ypes.h

windows11-21h2-x64

3

OblivionCh...e/io.h

windows11-21h2-x64

3

OblivionCh...o646.h

windows11-21h2-x64

3

OblivionCh...mits.h

windows11-21h2-x64

3

OblivionCh...cale.h

windows11-21h2-x64

3

OblivionCh...lloc.h

windows11-21h2-x64

3

OblivionCh...math.h

windows11-21h2-x64

3

OblivionCh...sock.h

windows11-21h2-x64

3

OblivionCh...nb30.h

windows11-21h2-x64

3

OblivionCh...eapi.h

windows11-21h2-x64

3

OblivionCh...cc.dll

windows11-21h2-x64

1

OblivionCh...cc.exe

windows11-21h2-x64

1

OblivionCh...cc.exe

windows11-21h2-x64

1

OblivionCh...nt.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OblivionCheatVIP 2.1.rar

  • Size

    45.5MB

  • Sample

    250114-zh3dga1pam

  • MD5

    e1bdb1bb87c0e037710f6305c54c969a

  • SHA1

    9b9f9848036fb35395e50b515ed45169d6883436

  • SHA256

    f139ed18bca38e4e61fa88f94f0a070d217df1c1f647191510253352724ea1b5

  • SHA512

    d839d93fbf3547f84ea465f6e9423b5d70b70e840c9f2e0df906cb8f483ea58524c5c79f6badb1f9b2df7a0e7b640904ebca488e36a07dc2dd62edf0f74ccc13

  • SSDEEP

    786432:u5r8IfJQOhn0irjgZzaSiI5RTbhVRaqm9hrb/CU0ItR8uZQouD:gRJhhnPruJXByqgPtR8uSD

Score
10/10
umbraldefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326623157028913212/jlk5SjJembzYiYsGT0bg_70kMXYfak5GFsTDwPZEZQWRTYI4z_Kz9R6n4WKwU74BXibD

Targets

    • Target

      OblivionCheatVIP 2.1.rar

    • Size

      45.5MB

    • MD5

      e1bdb1bb87c0e037710f6305c54c969a

    • SHA1

      9b9f9848036fb35395e50b515ed45169d6883436

    • SHA256

      f139ed18bca38e4e61fa88f94f0a070d217df1c1f647191510253352724ea1b5

    • SHA512

      d839d93fbf3547f84ea465f6e9423b5d70b70e840c9f2e0df906cb8f483ea58524c5c79f6badb1f9b2df7a0e7b640904ebca488e36a07dc2dd62edf0f74ccc13

    • SSDEEP

      786432:u5r8IfJQOhn0irjgZzaSiI5RTbhVRaqm9hrb/CU0ItR8uZQouD:gRJhhnPruJXByqgPtR8uSD

    Score
    10/10
    umbraldefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealertrojan

    • Detect Umbral payload

    • UAC bypass

      evasiontrojan

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery
    behavioral1

    • Target

      OblivionCheatVIP 2.1/Addons/Microsoft/WinMaps.admx

    • Size

      2KB

    • MD5

      5a08143f3fd10007d14526c13b873e78

    • SHA1

      7286e0823164400f7dbb5eb31e1e87a586913098

    • SHA256

      dc368259c70a4dcf91b04f71a80961bb0dd8233092b01318c43fe01f6088e255

    • SHA512

      87027f48cee30f40edef797f0b482521456f5749532ab8a5606aebe6535c3e0d7b23b9c979f06c40ac2aca11ac5c450c8456c59b70a49c187e06f81d0380528f

    Score
    3/10
    behavioral2

    • Target

      OblivionCheatVIP 2.1/Addons/Zlib/6.5/Oblivion Client - Installer.pdb

    • Size

      12.7MB

    • MD5

      0b86101c486e90d87a8d3de0c9d279d1

    • SHA1

      40360ea9cdcb3f70cf5a812959a7d29a85052bbb

    • SHA256

      e22051a1221f42955ffed82b3614569f18737cfd424234cd4c90e8542785a08a

    • SHA512

      93ee08c84c2cbe0670c7852d53a5e77d4a43043aa78989d669bcdb77077ef1dab153c9faae96c1d8cce6a191aa75624a28893ef81ef5dec325f9dcd07d6f2d82

    • SSDEEP

      98304:GpStuA7r2KfcgQS2F558lGVrVDclE3Hh0NGpH0n428peJ/JAkMGS0xLd5YlVanQ+:hbzz0Igcj5TpUr7rxxYkq

    Score
    3/10
    behavioral3

    • Target

      OblivionCheatVIP 2.1/Addons/Zlib/6.5/imgui.ini

    • Size

      1KB

    • MD5

      cdd2786e6177b185b349437551c43b4a

    • SHA1

      032e72c2d469bae81d7c9ef89fedd6dd0867203a

    • SHA256

      876ff105a74a5135ecf2bdd650a8312d353d887f410e7d0535dc47ce5bbf9337

    • SHA512

      2a5bd47f0df40b5f51560614358f92a29ce8fbbecc1c6bc5158297837895b7b3c5ab009697c585618b755bc26a39d3d1db0777884cdbc272f5f1ee015ab14f75

    Score
    3/10
    behavioral4

    • Target

      OblivionCheatVIP 2.1/Addons/Zlib/6.5/login.json

    • Size

      23B

    • MD5

      1f27b170426a8afbab13c8fb9f0fda4d

    • SHA1

      d4a1ee28812feec9f26de2696f58574f63bd71d6

    • SHA256

      fc4d31fe0e2f82e79f8a257d579552dc6bde6f2477ec81f208debcec4aae40fd

    • SHA512

      a46f917eef10bcb4695eac885ff4367a5e63536ac14cf4a59f91447e88b9830d2d351c05293516f0a2c937d118774128da09db045ac99788c6f4ee3211a60f44

    Score
    3/10
    behavioral5

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/_mingw.h

    • Size

      3KB

    • MD5

      3b4e52eaf66a0434ef4bd79587b95243

    • SHA1

      c0c21c145420487f4925e8b8f05e4eb5cae63fc0

    • SHA256

      f574410ada4c9ae430b17af722102f6b9dc749d7ec8dfe45427e51e269abe034

    • SHA512

      333b50e44756a6763ebab63719aa2f22332301fb4ddb8b992d10b0685878765eb22e5e56c540ca4ff1d3cd79e7cb7bd119845ca97ca13a270ac3c24d401220e7

    Score
    3/10
    behavioral6

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/assert.h

    • Size

      1KB

    • MD5

      b7502a70ef825c038beb2fdb7709901e

    • SHA1

      e6ca39e6c556e0ecf758c5cf3661cd0c5e0fdf19

    • SHA256

      a0b726d7f82beac0cffb550c33ead8f23186fd941de5216fa48da97a25995650

    • SHA512

      67348abfeea1d22715d6a72423dfecc9db691b64ec1d39ea418c6f04b44d9d8cdb649beec601cbf3499c327893cc8af6d9ecf68d2400003fd89ca43a34b30478

    Score
    3/10
    behavioral7

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/conio.h

    • Size

      10KB

    • MD5

      6a61e54ad2614ba528414c7b69147caf

    • SHA1

      242479133484e15a2af816d95ddb053835bf4c64

    • SHA256

      de7161f85835d98b38fe6a19ef8973dcaf58ec237b1c91cf05ac535b2ff3845f

    • SHA512

      468702a606e20ffa893054f676c56dfe6eb3d28a002bae143298422ab388a2f2f78e318714f5274bc9ebd243863f5228d5ebead5f31d892e96d8742c8e6846a1

    • SSDEEP

      192:R9IFnJJzpoJItwJ+Y31t1d1uF8sFX9B17lHLQWq4QcHyQA3sG1:XI4IJ2WzPw

    Score
    3/10
    behavioral8

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/ctype.h

    • Size

      9KB

    • MD5

      22e5a00491e32d15b40b196397ad01c1

    • SHA1

      b0db6fcbf4abd2f4fdea2771399c1e502d9f8106

    • SHA256

      4cfaaa43b3f7414984126e8b1cdf65f9dac0ef68d9a3396be0b8828376a74a6b

    • SHA512

      28839104776441738233334a20de6ce3ada51179fb50366c27ab60432949fc78e1ccf735d2e80216f8779d84328634005c322d0010875e8fe0ff33d699ecc114

    • SSDEEP

      192:aK0sBzLLoy8q3JHZDrs+UAt0g7WnBeaIlzjD:EALLb8ars+Flzf

    Score
    3/10
    behavioral9

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/dir.h

    • Size

      952B

    • MD5

      ef5c7267df270272bfa8f8ebd1b516f2

    • SHA1

      1e3f8a9afd814efa8cf7c88dc480e9914a5bc570

    • SHA256

      84064b17e501d691c43d47e45b112c2884db467417910b5fa1482b72342badfb

    • SHA512

      8ca2b0e08b66eaa843fc7ad0f8f4063450a469914819a637aa3f8cac39dd38e32cc0403f2b04f767ae486934026585b56f93544c8a1f5d92cce32ce84a4506f4

    Score
    3/10
    behavioral10

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/direct.h

    • Size

      1KB

    • MD5

      83679da78aaf8f8352acb1883b9ef868

    • SHA1

      fd89079636571a93755120120ab4f03b91076478

    • SHA256

      179c3204312d7cf8032102773629bcb3e5fff792d1d808931cb6619a431d2435

    • SHA512

      13af1f2c118e898e6055ca61286c9766df75366ff4f30708f613193cd8f89afc4a4cc2fd31fc3ac6dce5d577ee83e203f79aca3b739d9d9e9e60b42cd9c7036e

    Score
    3/10
    behavioral11

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/dirent.h

    • Size

      3KB

    • MD5

      afbe32ee6ded8cbad33d6fe3fbbf077d

    • SHA1

      a7f0d3edee5f49e127575eb25e64e2747108e7c3

    • SHA256

      88c1f767fdcd6d51b991ee3234792da48c8576f5f8816f17a42344f9c8bbb1c1

    • SHA512

      f655a40f8c87a0cb43a34ae47612d5cef2cf7814fd2ae9ce1c8566f97f45e91470364bd87e8c12861cce44fb8cca54717546baacc6ccbdace51d0d15206304dd

    Score
    3/10
    behavioral12

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/dos.h

    • Size

      1KB

    • MD5

      3b6fbc94238df0fd001b04d55bc899db

    • SHA1

      231e18ce6a5488b2353fb9ef052fd6677c2cf555

    • SHA256

      3afea4ae85c68987fe59f40592ac5ea3ef1049b4fb72612bb185358d628e2dec

    • SHA512

      28ba3ed6cc9511f17798822fa81a2d16da17ca4af9da64f3edc9170fbb883801bf07390214c54b58a32251e6a1c3bb359cb76e892ddb77fbf8c1bf3985e13e5e

    Score
    3/10
    behavioral13

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/errno.h

    • Size

      1KB

    • MD5

      309538039188f5e3cf010fb1b0c7cf66

    • SHA1

      2ea79342c5ffccdb1c4bc613f2d5d55cb45c0117

    • SHA256

      ddacb88c325b09d6c7482e446c877c4d01328a28d803332ca38c54b428d1b8b0

    • SHA512

      ea9ec288e5963ae2ccad77ec255bed04a1051ea7d70bed6e6b863f8b9da829d4a42703ee66f9b14873286651ca5bf9eb0c89d400735b95534f6724c9b860cf19

    Score
    3/10
    behavioral14

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/excpt.h

    • Size

      3KB

    • MD5

      d236372cba09e14c37b4e48f81baef83

    • SHA1

      11a3bffaacedfa1caa4b4bb836cd95297a4ecc6d

    • SHA256

      0098e51602c94f8a9702f4b776d3630f56eec27ed67b9fc36d9204933b58ac4d

    • SHA512

      d7c22525fbb97bf8950db69645511420f1198abe33f5d0fe07a5ee8dd6b5cda07038b6db71a2995c6f5ec1b85d8b98e4370330193132e95f2a65e3a847f04408

    Score
    3/10
    behavioral15

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/fcntl.h

    • Size

      1KB

    • MD5

      478add63d2c741d03a60a11bdc4fc0d3

    • SHA1

      e9e0c857d2c409f23c346d81b77c5634f1c395ab

    • SHA256

      fbd94f945a57165ac897bdbacd2a861b1351e7850fa76752703c0a622e0646fa

    • SHA512

      bccc563718b1a03e93e5bf8cf0d79bb3128a3fc1fdd6fbc17792cbaf3c5de70de06ec2f88d8eed7105ff62056e32e9a79570f5890e75f4443033421d283b2fec

    Score
    3/10
    behavioral16

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/fenv.h

    • Size

      3KB

    • MD5

      deec7c35f77ec8e22074667641ca8851

    • SHA1

      8cce6b663a9a04b3c13aa6621b0798e487a8a88e

    • SHA256

      67a827acf4e09653afb5d18f2ecaa5fcdfb7471d8a5b8197c2f33d06e8462f84

    • SHA512

      8de2b82b0579e6c37546a26bc1ab5d7603090e815d8ce728474b1405339ab4ef4f0794df19ff4cc3780aa7259288d4d93fd50b0e9c63d413ff22ad5e72bfcbe5

    Score
    3/10
    behavioral17

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/float.h

    • Size

      1KB

    • MD5

      7b3a9b2e219c615aa0d5476c5ec2e318

    • SHA1

      e1658e94692f7e1f51a6fe13ecf03ca6e64474e9

    • SHA256

      e2ed9e0e87505e9a679659373be768b757f31ce30538c49bb245f954f2ed766f

    • SHA512

      7b1b60a1016082e89989e385e8763d7483dec13694b909549328925c3cf905b0690a3f0f2c2fe873e78feb2fe2dd54034c411901ffe056bdb7f990eb33bddf78

    Score
    3/10
    behavioral18

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/inttypes.h

    • Size

      5KB

    • MD5

      6bb72461c8c72cc3b96f78c73fa803ba

    • SHA1

      4506fb8bfa1622d4533db176b3dcfab0ae021672

    • SHA256

      4194c0408cdba330b7cfa1d2091d72a0cfbf2077ff1feb19f436f3f3aa2adf18

    • SHA512

      5f6d95651183fbce7490a619d37672f2d3bac516319d0edcd4e782a77632b457632eb83ab54b67132752649fbbfbd1d4eb2b4aba2622bdf729f0c4bd7509db2b

    • SSDEEP

      96:a0GgtlRUn9ZpD5AgcpqdvDp/pwZzSAGkKTskBkbBpbwlHrhchgM2bRBhuYBbV3VU:a0GgJUn9ZpD+gcpqdvDp/pwZzP1iskSX

    Score
    3/10
    behavioral19

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/io.h

    • Size

      12KB

    • MD5

      4ac0744ef16453febed8de4242997946

    • SHA1

      b092c9006de0a8dbe7f0ff568b6caafb00b4c90a

    • SHA256

      5da97c850e8e2ab608c42947a33411f556f6d75b8264e1e5cf29ca7ba7b96256

    • SHA512

      1ec9947c6fe0160954f3922d6990863865d274874c31355f0838ccbb1bbf6650a9a3f0d3590537a189afbf80e33cde5393260fdd5f3ea5a736a066cdcc5ff815

    • SSDEEP

      384:Y8Bx8BjP8BJPKf37Rw8z/hI9B3mpv6O3O8iONUO5OG0xLIJ8SNgVSAMczPO8cONU:r02oxz7vX+8fNxIG0S8SNgVxz28ZNU

    Score
    3/10
    behavioral20

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/iso646.h

    • Size

      548B

    • MD5

      8a96d620d87439847852f75e9b2bcaec

    • SHA1

      9055260c887fa15e132deff32ffaeaa7d060afba

    • SHA256

      20f5e93cef729d02930d141c23ad9bf94a8f78c42c8d36eb04874d8d1958c6c1

    • SHA512

      3f4c99ba5c0f4ee681f40bba114881ebdc407e95a2c3209796ec74a56ce188fc1666c9a02c016636b3d238c3225f1ea6a064682e2a29814646dd7fbe6f48e40b

    Score
    3/10
    behavioral21

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/limits.h

    • Size

      2KB

    • MD5

      5be6b04221366632fd3ea3110213676b

    • SHA1

      5fc1f334ffe514780798f6178330f756bfcf9972

    • SHA256

      395d8bf72ed91b83d512234089ae8a96d8a21e72f5fdcbd56af4aef6e1110c62

    • SHA512

      1326d02376573e3bcdc9567c00d443d56b4f72b07452bf96f508f0f3a49c5e09c73e643b961aa5e47c212517002f8dabfd34afbb840cc09eafba1f6cb8edb7df

    Score
    3/10
    behavioral22

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/locale.h

    • Size

      2KB

    • MD5

      5f6a3e42f8eb297b888b498d93437c3c

    • SHA1

      09729d7892a1ed36afaddec40674aceb62b5fa88

    • SHA256

      882626fa25dbc1b5903e6fd98cc8516f1e54c4e06945026653f05b38125dff2c

    • SHA512

      587bb7be57dda7db0bf8c454a78dd67d850342d97bc7c99a9804d53fa7929eb42c1194e13456170c0902ca7a15c028a6c635879889f0af6a9ed833c2e046b9ec

    Score
    3/10
    behavioral23

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/malloc.h

    • Size

      5KB

    • MD5

      537bc027e86f7252d88b6bf2fe5b2f35

    • SHA1

      7f3361d220f96ad1b93669254937929f267cc333

    • SHA256

      7307ff330b8d7954d548e19e45887ed64de36da5bee1fda2cc021f0c1c1892bd

    • SHA512

      3d7693f46fe1272decba8efb6a01853786419055cf338cc900c9fe3ec1b795ba25e16878a5d53261bf3bc3bab7525110b6f1844501d5fb6be45c57b5d277f625

    • SSDEEP

      96:y4bSZjA6r8VdQINtNy6XVqB4/mLErYQ015U/dIuvwQRbZBq35jU:9urrSXIzGdIuvwQR9YJo

    Score
    3/10
    behavioral24

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/math.h

    • Size

      14KB

    • MD5

      2002b799878af9dda2fb41c6031d0612

    • SHA1

      b61c594f99dc04a3ed785b4bca1b387b5326dae5

    • SHA256

      87d99e5321f499299bb405cfdd162b6fb905c7a2f5ac037f2a2d41ea6e7d2642

    • SHA512

      9b72f0b65036a7c5f77ff7ef5a2ee23df89cb2358c966a7e786941aca43e7b5c1658bb6ce0a850ff2fc9bb0433e244191189cd26c65b47db5cc5d30198ee8f82

    • SSDEEP

      384:lpwI0xKSwkqaOV8JLWucZBFrhHONMLPik9OeZ:lpPhkLOyq

    Score
    3/10
    behavioral25

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/winapi/mswsock.h

    • Size

      2KB

    • MD5

      5c8a3ac3968c89102232a281b44e8f29

    • SHA1

      590823e57147895000d0583c36ddcd6643bb3856

    • SHA256

      1b17a028ffc73e496f205302f83011315ac037434d5ea73b3f6de7a741ff85f2

    • SHA512

      db23342406119a3826d304ddfb91d3993d7c0bf5a623e17dcf45cf4308903d3da72d9c1bfef26838bda6ffea0c77e7875448b31a85e2560948cab742339909f1

    Score
    3/10
    behavioral26

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/winapi/nb30.h

    • Size

      4KB

    • MD5

      e35dfbb34027a937ba50d82b73b6176c

    • SHA1

      e47f4d0f63815c624d5293e88e4b81de75bb21a9

    • SHA256

      d6f71f376da33f63b72b1ebbe63e1f0cca3b63d63771de454532814dce0f7374

    • SHA512

      ac90f0755884c39d0e8b1f68a09cbe4ccbe10ea8362758e1905d06d3ffee9641f05db1940ed75a37c6f0b1f8b3ee1313a54763454a3a7b03c0264370f8bbeb9d

    • SSDEEP

      96:e8C+EOYk7R258Rua4LE9eaiYMqtLalJUDVqRWUsq/Hwk3QUtuq3C82:pC+xq58RuaeGeajtLaHUJqRWUsq/z3Qn

    Score
    3/10
    behavioral27

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/include/winapi/nddeapi.h

    • Size

      4KB

    • MD5

      c3c680e5a1e4b555f1c5195d257f044b

    • SHA1

      e53d5fc7f37908263e715fde735e87f621db2068

    • SHA256

      29d72ed359fd0544f2bdd5d2180e61110e8ae414a040d42fa4d694d36896def3

    • SHA512

      908e050e45012055dc6884d60c5f576d4f6e12513c2776da875ac23eef999a7407038a60920ce99dda131a24a4c0d84fb668b591464764743b6cb8b8c7d84881

    • SSDEEP

      48:kF/93ZHsJbfwWe6yggZ8q/Nzgyk43wtfiPSJ+BiQi9rVLZjDdWkddS9adUkdY1Rz:cFJZWsrDdzwlP4GLZswS9TnzBaBJ8Sps

    Score
    3/10
    behavioral28

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/libtcc.dll

    • Size

      221KB

    • MD5

      018d32ce36c442b94c89a112282106ba

    • SHA1

      d64c9b5ade44b0c766790581d31d2925f80c8fe8

    • SHA256

      5673e555abaf7adc8856c04e2ecb63fee657aca2c1cf538f7bf4ddcfba8b78fd

    • SHA512

      cc77978a01379cbae0c45447bb8dcbc3bee99d6fce5eecbf0b5128ca965ecc71a1b86f6ec8eef79eeb4b79af1a2f9f436eecbac2ec5880f2c10e3a5cb2cbede7

    • SSDEEP

      3072:Uo/H0rj173sxwQYsZjqwVFg49F3UaEX6FJtdHUaXnuBRbsWJwPNAzvSEw6/wwRkI:F/H0v1oxw+9bnERbLJeE//wakI

    Score
    1/10
    behavioral29

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/tcc.exe

    • Size

      53KB

    • MD5

      08c121c2147e21032d5212f3d430660a

    • SHA1

      e93e7cca5c3ba779a36fb14e5fdb3182d745279a

    • SHA256

      54f013a8811498a3bd20d8440a497698de96b659930001874f7c7f638f887d1d

    • SHA512

      7b4eddb5e77d78640b56c4b970f96070bd7ed6d281f9a2d5895e7a1b4361cb5edb027068b087d71363ad617609109e6c42795022ec46b16a48cd2b468f711d27

    • SSDEEP

      768:S5lhh+VJ2AgP4Z1sFo1DSrsXitHcidyRPDG+VpHVZvnaIOyPCFW:YhCJ2jP4Z+mDS4XoHcidGzp19iGCFW

    Score
    1/10
    behavioral30

    • Target

      OblivionCheatVIP 2.1/Compilers/tinycc/x86_64-win32-tcc.exe

    • Size

      247KB

    • MD5

      0317013fd9ea6e7865c09a37a201b183

    • SHA1

      ffea3f9c19f8ea5f1c54ba9eb624a84dd0f1ae94

    • SHA256

      8daaad81845f30e6e09615555f96219ce8dbb281c1497a2ccbdad8e42c79b718

    • SHA512

      da23ad806d71537aa746f990ed36069848fbec64553ee7748b992d38144b5c8fe98a9056bccfacc31981f9d082ebdcedb677fe47a47babd67a8f649a750a2cb4

    • SSDEEP

      3072:XFD5/M9pRIaD0oEjMCLxeLHjQJPJ2yWPWAAsQfFcGBzn8wEfTEL3QpfbJKJuPfMl:r09ZkJP5WhrELApd3PMM7Cpl

    Score
    1/10
    behavioral31

    • Target

      OblivionCheatVIP 2.1/OblivionClient.exe

    • Size

      41.8MB

    • MD5

      95a3e8c1d4a5c7bd87a123b5cccb9f67

    • SHA1

      152bca2603e39111cc446692d8a29501d980def9

    • SHA256

      aa3765a7cfa4a5430c350c0d44252216c215c3fb3ffdf793cbef71dea633bdd8

    • SHA512

      8c9663f0f7700dd71475e9bad481e38a1131c636181ca768c4b9016c5e6e233131a37ab5e100b6c071459ef4ee6a7ace6eb22bd671cf5b0c8ded61e6ac8387d1

    • SSDEEP

      786432:/ogRer1/vUMrlxwEnk9T5diXo80MVzyj41wt/B3FVB4idWQb9QqMbJVaGeSWj:/ogRA1/3l1nkZ5diXo80MVu82TrXQqk4

    Score
    10/10
    umbraldefense_evasiondiscoveryevasionexecutionpersistencespywarestealertrojan

    • Detect Umbral payload

    • UAC bypass

      evasiontrojan

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

umbraldefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealertrojan
Score
10/10

behavioral2

Score
3/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

Score
3/10

behavioral18

Score
3/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

umbraldefense_evasiondiscoveryevasionexecutionpersistencespywarestealertrojan
Score
10/10