umbral | e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 03:34

Target

e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35.exe
Size

227KB
MD5

5ca108ee3ece9269646be3688bcb15cc
SHA1

aef5338c3af5098644dcb6ca7138fad8764b6b68
SHA256

e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35
SHA512

6ad1b7dc0fc15e0d9092d4e678788554ac2e9316276f0893de363dd06165fe984a6f62bf174489db3fc97275119b72410112f350b1c1db3caa81f6d49e513cb8
SSDEEP

6144:eloZMBfsXtioRkts/cnnK6cMlFV1RIywvrYthkijD6frJR8eoy/i9:IoZrtlRk83Mlv1RIywvrYthkijD6Cp9

Score

10^/10

umbral stealer

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1384-1-0x00000000012D0000-0x0000000001310000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1960	1384	e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35.exe	31
PID 1384 wrote to memory of 1960	1384	e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35.exe	31
PID 1384 wrote to memory of 1960	1384	e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35.exe	31

C:\Users\Admin\AppData\Local\Temp\e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35.exe
"C:\Users\Admin\AppData\Local\Temp\e6c8e4cd391de11ec1dfaddd80858fafb704cf7071b84ca4c33e1c3adbcdec35.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1384 -s 500
  2⤵
  PID:1960

memory/1384-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/1384-1-0x00000000012D0000-0x0000000001310000-memory.dmp

Filesize
256KB

Download