umbral

Resubmissions

01-02-2025 12:54

250201-p46mxavnak 10

01-02-2025 12:53

250201-p4nr4avmgl 10

Sharing

Copy URL

Twitter E-mail

General

Target

Zorara-v2.4.34-x64.zip
Size

5.1MB
Sample

250201-p46mxavnak
MD5

f444277db648196959fc50cd1a5da310
SHA1

28534db54aadb775c2437b5f4c54d041bcb38779
SHA256

6ae34a03b7072f4e54b5f974915bc44c99bc73b743752880973a60202a452334
SHA512

5aea9b23a18a42484167a8eb4c20bd97c8feb9586fb7713433ac0ea1161cd65581c73b341139c8073ea6c33021ec916b43d5073121fd5d389a0fd4b63af361c9
SSDEEP

98304:cl/l7y5LQoicjEtdHekvLIXguUeNwsuRhwudj0mud1myqKDNyzMrXNeP:clc5LQbT5IwENw370KydLNeP

Score

10^/10

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1335228919074394162/NmpqtjCR014wUqJyXtyzpFlF7on3n_ELGV4OU8JcU37naJowmUn6StDcbnTpKYvoFssl

Targets

- Target
  
  Zorara-v2.4.34-x64.zip
- Size
  
  5.1MB
- MD5
  
  f444277db648196959fc50cd1a5da310
- SHA1
  
  28534db54aadb775c2437b5f4c54d041bcb38779
- SHA256
  
  6ae34a03b7072f4e54b5f974915bc44c99bc73b743752880973a60202a452334
- SHA512
  
  5aea9b23a18a42484167a8eb4c20bd97c8feb9586fb7713433ac0ea1161cd65581c73b341139c8073ea6c33021ec916b43d5073121fd5d389a0fd4b63af361c9
- SSDEEP
  
  98304:cl/l7y5LQoicjEtdHekvLIXguUeNwsuRhwudj0mud1myqKDNyzMrXNeP:clc5LQbT5IwENw370KydLNeP
Score

1^/10
behavioral1 behavioral2
- Target
  
  Zorara-v2.4.34-x64/Zorara.dll
- Size
  
  1.2MB
- MD5
  
  8363219b62cf490fea5571d5b779c174
- SHA1
  
  3d259f711d21053b7323a740e8c256ca77c64efd
- SHA256
  
  9840c97b35afb77418d541ef2f1b5da93c0d7d9632c334ec7444ceadeb0f9fa8
- SHA512
  
  70874a58bbcc263e1c929e479bde31e731cb26cec6a51081f3d33ae37be32b4c9e96a36306d997f12a81e0867bc13a0c32baf14c52b9f1dfab894decf7305a22
- SSDEEP
  
  24576:9G0w6ywcoFdPEb8j3+ClaySrLH7+4r3e7540eFMWFFpKc:9G0w6OaZlaxfHy4r3e75w9F
Score

1^/10
behavioral3 behavioral4
- Target
  
  Zorara-v2.4.34-x64/Zorara.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll
- Size
  
  2.6MB
- MD5
  
  0ee2b50c85a110689352fccfa77b5b18
- SHA1
  
  d9ecc4b12d2d50e3cbce40e75edad804c9988b25
- SHA256
  
  62a13d8459e0992c311dc3551bf3c2d1ce167ea7fa40f0ec62193f3bd760b36e
- SHA512
  
  a4f94a05a69b5ae3a0ecf8bdb7592f698d0df81e2f1fae679f38890ad04a2384883837bc792c73848955ff4af7afed49d38839f7ab174454e61919ed78655bff
- SSDEEP
  
  49152:NodIJ85qaIU7ui8DDR5s8L0Oty8CvFqwsNcrCY2/YUZzQ7L9qhV6O8mOn0k10:gEDRwrcAwDl
Score

1^/10
behavioral5 behavioral6
- Target
  
  Microsoft.CognitiveServices.Speech.core.dll
- Size
  
  2.6MB
- MD5
  
  0ee2b50c85a110689352fccfa77b5b18
- SHA1
  
  d9ecc4b12d2d50e3cbce40e75edad804c9988b25
- SHA256
  
  62a13d8459e0992c311dc3551bf3c2d1ce167ea7fa40f0ec62193f3bd760b36e
- SHA512
  
  a4f94a05a69b5ae3a0ecf8bdb7592f698d0df81e2f1fae679f38890ad04a2384883837bc792c73848955ff4af7afed49d38839f7ab174454e61919ed78655bff
- SSDEEP
  
  49152:NodIJ85qaIU7ui8DDR5s8L0Oty8CvFqwsNcrCY2/YUZzQ7L9qhV6O8mOn0k10:gEDRwrcAwDl
Score

1^/10
behavioral7 behavioral8
- Target
  
  Zorara-v2.4.34-x64/ZoraraB.exe
- Size
  
  231KB
- MD5
  
  320488aae7f6f97979d69c0e8c364f2e
- SHA1
  
  c2f7d9466e4c590d63d4ccb2d12bf3b7c8e56a65
- SHA256
  
  2b5b5c595e2abb3fd2f95aa17727de6340a3e921b310c7f9499f0fb31375e51e
- SHA512
  
  ff76790d552d708bc39859ae1f542de75662857e179acd8fa4d063ca30fb4e22ee3038aa0c543721a5d03b3c96eeda6843c81b05e7ffa65d80470445ba53ad5e
- SSDEEP
  
  6144:RloZMLrIkd8g+EtXHkv/iD4NQEmPlO2Z1c1niinVwb8e1mni:joZ0L+EP8NQEmPlO2Z1c1niinKd
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9
- Target
  
  Zorara-v2.4.34-x64/ZoraraUI.dll
- Size
  
  95KB
- MD5
  
  38246fb0d91772bb188b74956fcac653
- SHA1
  
  5b513501576bfd408c002bc7e3937222bd5880da
- SHA256
  
  5467a08450f3330e5aecfcac90b7e2f6005b7031b2e900c6080e894ff435223a
- SHA512
  
  66c2db8045386a2e3cf43cd56c9fc72d34108a4092fec0ef83c4817a6e2484ddde4d3366228532cbe60bff02d6e28b6c7354c749db955de236396dc29116251a
- SSDEEP
  
  1536:htOb8p1vRzSfcuafx2WR42zxMVY6dTPrvWa5riimh3VuM/APHV5y6SlSW8lXR:hEbfWytdTPrvWAPuw7Pby6S+lXR
Score

1^/10
behavioral11 behavioral12
- Target
  
  Zorara-v2.4.34-x64/scripts/UNCCheckEnv.lua
- Size
  
  28KB
- MD5
  
  b76726d10354343d9af5c268e40b47c4
- SHA1
  
  7103c78071be0c65c8b3a217168cf7909aef748e
- SHA256
  
  e8d53406c916b8e827c65c8f00d8a18b1379e693fd0379e8116e749bdf860cf5
- SHA512
  
  5caffd8a06058e890fe4ae35430539281cf53fa791221189f0f6660778a83fa42cc3e5374ce06ff325420d92006c2bfe1003f1486714e889964075da66b046eb
- SSDEEP
  
  768:JopEYRzOKMrGrE7BWf9r+T+f9TkIuP4hUUsbU8FqQFBF5UXzRFEe3cSG5Sg/i5rx:JEKcZuy9p
Score

3^/10

execution
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect Umbral payload

Umbral family

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14