umbral | f0bfbd7e921feaaf6d0b701cf58fa72e665fb20cc945bdb5ebf22c4c436eb6a7 | Triage

Sharing

General

Target

SolaraBootstrapper.V210.exe
Size

231KB
Sample

250115-pbw8rstpak
MD5

a3b5e75b75b23ccdc2d0ad1f6cdce98c
SHA1

a78fa26acdfb97af1ff1ba42d5467f9c90162b4a
SHA256

f0bfbd7e921feaaf6d0b701cf58fa72e665fb20cc945bdb5ebf22c4c436eb6a7
SHA512

5e51aa1e84378573cda2920d17e5c0737c5c432a074324dffa2b0313794519c10b66e27c99f8d59c261b8c0b6481e3135c524c3ef6b8a8331898a0840689d9a3
SSDEEP

6144:BloZM+rIkd8g+EtXHkv/iD4WAaJdLocD9abtIExcqb8e1m85i:zoZtL+EP8WAaJdLocD9abtIExHe

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1328759115253809182/fIe4XMBl8i7_EFCrAx8t8UMPorJc6I5BFEXWdDAvPtPUAtPGv0E8ejmGJxJuhJjtySTP

Targets

- Target
  
  SolaraBootstrapper.V210.exe
- Size
  
  231KB
- MD5
  
  a3b5e75b75b23ccdc2d0ad1f6cdce98c
- SHA1
  
  a78fa26acdfb97af1ff1ba42d5467f9c90162b4a
- SHA256
  
  f0bfbd7e921feaaf6d0b701cf58fa72e665fb20cc945bdb5ebf22c4c436eb6a7
- SHA512
  
  5e51aa1e84378573cda2920d17e5c0737c5c432a074324dffa2b0313794519c10b66e27c99f8d59c261b8c0b6481e3135c524c3ef6b8a8331898a0840689d9a3
- SSDEEP
  
  6144:BloZM+rIkd8g+EtXHkv/iD4WAaJdLocD9abtIExcqb8e1m85i:zoZtL+EP8WAaJdLocD9abtIExHe
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionspywarestealer

behavioral2

umbraldiscoveryexecutionspywarestealer