Extracted

• • Target

    Photon External.exe

  • Size

    448KB

  • MD5

    114977c4b8e58661eca598e3e864ccea

  • SHA1

    f4cd68a7a9f39252b3d9337f6d4bb1f2b2ba66fb

  • SHA256

    de0b828a0c5a7de9ee5cb878bf53c26294106ba05d1cc1d09e34463c6bb37e45

  • SHA512

    7e5730e53a6c3b9f444659f81ab582216f54ee36b2d6be59893cd93711ad2dbe125d00ca4107238324321e661a3783cf2b6de6c4f9469fad7677e7a2965bf988

  • SSDEEP

    12288:7oZtL+EP8q6BoHdmOhWU9va6vAZQtPgkFDIknaHeELrvajxzp:FI8hBoHdmOhWU9va6vACNF5niecmxz

  Score

  10^/10

  umbraladwarediscoverypersistenceprivilege_escalationstealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1