umbral | f255a381ef85b1da243ce96a36362bf08fe313ff0666e58e40430bbbd365e3f3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

230KB
MD5

cd32fdd05be451dcebaa04ed226b417d
SHA1

2ee53c0439df3d1d490df3ae4ae392d1b3bdde4f
SHA256

f255a381ef85b1da243ce96a36362bf08fe313ff0666e58e40430bbbd365e3f3
SHA512

b76af4ff2da8a31dda4b8d32b5eec349862f1b1c75d8806f4dbbbe46e7de899162cd5f79d857766fb934b8ad56f1e9b6e836cba78d1e9f0374d0fc97568e65e4
SSDEEP

6144:1loZM+rIkd8g+EtXHkv/iD4IbGlW0b3cwNImHHm4ib8e1mbi:XoZtL+EP8IbGlW0b3cwNImHHm/R

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2064-1-0x0000000000D50000-0x0000000000D90000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2252	wmic.exe
Token: SeSecurityPrivilege	2252	wmic.exe
Token: SeTakeOwnershipPrivilege	2252	wmic.exe
Token: SeLoadDriverPrivilege	2252	wmic.exe
Token: SeSystemProfilePrivilege	2252	wmic.exe
Token: SeSystemtimePrivilege	2252	wmic.exe
Token: SeProfSingleProcessPrivilege	2252	wmic.exe
Token: SeIncBasePriorityPrivilege	2252	wmic.exe
Token: SeCreatePagefilePrivilege	2252	wmic.exe
Token: SeBackupPrivilege	2252	wmic.exe
Token: SeRestorePrivilege	2252	wmic.exe
Token: SeShutdownPrivilege	2252	wmic.exe
Token: SeDebugPrivilege	2252	wmic.exe
Token: SeSystemEnvironmentPrivilege	2252	wmic.exe
Token: SeRemoteShutdownPrivilege	2252	wmic.exe
Token: SeUndockPrivilege	2252	wmic.exe
Token: SeManageVolumePrivilege	2252	wmic.exe
Token: 33	2252	wmic.exe
Token: 34	2252	wmic.exe
Token: 35	2252	wmic.exe
Token: SeIncreaseQuotaPrivilege	2252	wmic.exe
Token: SeSecurityPrivilege	2252	wmic.exe
Token: SeTakeOwnershipPrivilege	2252	wmic.exe
Token: SeLoadDriverPrivilege	2252	wmic.exe
Token: SeSystemProfilePrivilege	2252	wmic.exe
Token: SeSystemtimePrivilege	2252	wmic.exe
Token: SeProfSingleProcessPrivilege	2252	wmic.exe
Token: SeIncBasePriorityPrivilege	2252	wmic.exe
Token: SeCreatePagefilePrivilege	2252	wmic.exe
Token: SeBackupPrivilege	2252	wmic.exe
Token: SeRestorePrivilege	2252	wmic.exe
Token: SeShutdownPrivilege	2252	wmic.exe
Token: SeDebugPrivilege	2252	wmic.exe
Token: SeSystemEnvironmentPrivilege	2252	wmic.exe
Token: SeRemoteShutdownPrivilege	2252	wmic.exe
Token: SeUndockPrivilege	2252	wmic.exe
Token: SeManageVolumePrivilege	2252	wmic.exe
Token: 33	2252	wmic.exe
Token: 34	2252	wmic.exe
Token: 35	2252	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2252	2064	Umbral.exe	31
PID 2064 wrote to memory of 2252	2064	Umbral.exe	31
PID 2064 wrote to memory of 2252	2064	Umbral.exe	31

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-0-0x000007FEF63F3000-0x000007FEF63F4000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000000D50000-0x0000000000D90000-memory.dmp

Filesize
256KB

Download
memory/2064-2-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-3-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

Filesize
9.9MB

Download