Extracted

• • Target

    CorruptX1.3.exe

  • Size

    495KB

  • MD5

    c57206c732c6cfaa8a4de6495732c8de

  • SHA1

    eb4127b4a20b05a3db766b3c953f0e12eb3070e9

  • SHA256

    0465cfcd8ec390d5d4e321ca1609ee70be881b906754cb5e783201114d922fcf

  • SHA512

    f1205d7c5daaa6b38ec121200875c8355857252ad4d474ce629c8584e73933e050e4f74c968617908044b9e819bc099dab8866e4f065acd4aa0b203001d1a6c9

  • SSDEEP

    6144:vloZM+rIkd8g+EtXHkv/iD4cGiqU69VeGbGkFZw9Xb8e1mqe6i:NoZtL+EP8cGiqU69VeGbGkFZwBLS

  Score

  10^/10

  umbraldiscoveryexecutionspywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2