umbral | 3a61a0cf3cc36d28922d8215d7ec5414685e195e694bac030bca29a32d9683a0 | Triage

Sharing

General

Target

Umbral.exe
Size

229KB
Sample

250119-p5n49ayjd1
MD5

4bc2e7ac1436d46b28811c13b73b7700
SHA1

113e650f1c5d41a20bdcf33152d2b90ba23b04e9
SHA256

3a61a0cf3cc36d28922d8215d7ec5414685e195e694bac030bca29a32d9683a0
SHA512

114eb0f25fd0d1f9378645007f327dd7d9aa99065e3982b473a89bd08fb529c3d6d0092c79dc1f6fa12ed99e2f12a7820b6e3c9254f5d838df29131bb7b2001f
SSDEEP

6144:tloZM+rIkd8g+EtXHkv/iD4/E0fAmB5Kz/Cwhl0Adb8e1mc3li:voZtL+EP8/E0fAmB5Kz/Cwhl007c

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1330520674737065984/wAiQioltW-4FvXy-ncOMtKyLEmMWGAXhzHpA-G43Qe5DD_tIZIJcgFMKC_EwekK39ywr

Targets

- Target
  
  Umbral.exe
- Size
  
  229KB
- MD5
  
  4bc2e7ac1436d46b28811c13b73b7700
- SHA1
  
  113e650f1c5d41a20bdcf33152d2b90ba23b04e9
- SHA256
  
  3a61a0cf3cc36d28922d8215d7ec5414685e195e694bac030bca29a32d9683a0
- SHA512
  
  114eb0f25fd0d1f9378645007f327dd7d9aa99065e3982b473a89bd08fb529c3d6d0092c79dc1f6fa12ed99e2f12a7820b6e3c9254f5d838df29131bb7b2001f
- SSDEEP
  
  6144:tloZM+rIkd8g+EtXHkv/iD4/E0fAmB5Kz/Cwhl0Adb8e1mc3li:voZtL+EP8/E0fAmB5Kz/Cwhl007c
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionspywarestealer

behavioral2

umbraldiscoveryexecutionspywarestealer