umbral

General

Target

f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe
Size

1.6MB
Sample

250119-pdyvdaxmdn
MD5

4131bbc8e8e1f839b6d116fbdc75b760
SHA1

40c1cc07a70cc1183cd096ccf2f5322d4ede7149
SHA256

f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80
SHA512

908d5482a530ff722f988356beccb8c6904d5acbcdb40dc2608098e0abcfc1a1991ebb615e5ab69716f3d96ca1049dd45850ff97c632ac1304ecee0da629ca4b
SSDEEP

24576:YcNnc2ZIQ2tRXUDo42d2ZCZbyLiVLVakZdwBuC/y45doBmkI+GgUVjt:blDoh2G+LiVzAsC/y8V

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326743463613435985/70y7ba1b6sFIhNg-JtWQPKaJNsYwIyDKQXMSsjnPN75MdFtAYWdvSFwlzd-whY1wFSoz

Targets

- Target
  
  f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe
- Size
  
  1.6MB
- MD5
  
  4131bbc8e8e1f839b6d116fbdc75b760
- SHA1
  
  40c1cc07a70cc1183cd096ccf2f5322d4ede7149
- SHA256
  
  f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80
- SHA512
  
  908d5482a530ff722f988356beccb8c6904d5acbcdb40dc2608098e0abcfc1a1991ebb615e5ab69716f3d96ca1049dd45850ff97c632ac1304ecee0da629ca4b
- SSDEEP
  
  24576:YcNnc2ZIQ2tRXUDo42d2ZCZbyLiVLVakZdwBuC/y45doBmkI+GgUVjt:blDoh2G+LiVzAsC/y8V
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2