umbral | 4762416b6554c13264748f09c55b5360820e3a109f4635131f7744b47c04b684

Analysis

max time kernel
135s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlireExecutorV.1.exe
Size

256KB
MD5

f2ea31daa0d364dc5b74ecad855ede4b
SHA1

cffc55383ad8204d2a4bb60c54b979b637d3f067
SHA256

4762416b6554c13264748f09c55b5360820e3a109f4635131f7744b47c04b684
SHA512

84e3ea1d1a6dc7ac85046ca950edc424615229958e05115d4d946dd2a4a95fc70af29b8d9b9a052fa867bb8fe559b20dadb96ffb634312eabce371f1b03c1679
SSDEEP

6144:bloZM+rIkd8g+EtXHkv/iD4qobpecjfUz1gevPexbb8e1m5ir:5oZtL+EP8qobpecjfUz1gevPeRL

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4400-1-0x000001FEB23E0000-0x000001FEB2426000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	FlireExecutorV.1.exe
Token: SeIncreaseQuotaPrivilege	1172	wmic.exe
Token: SeSecurityPrivilege	1172	wmic.exe
Token: SeTakeOwnershipPrivilege	1172	wmic.exe
Token: SeLoadDriverPrivilege	1172	wmic.exe
Token: SeSystemProfilePrivilege	1172	wmic.exe
Token: SeSystemtimePrivilege	1172	wmic.exe
Token: SeProfSingleProcessPrivilege	1172	wmic.exe
Token: SeIncBasePriorityPrivilege	1172	wmic.exe
Token: SeCreatePagefilePrivilege	1172	wmic.exe
Token: SeBackupPrivilege	1172	wmic.exe
Token: SeRestorePrivilege	1172	wmic.exe
Token: SeShutdownPrivilege	1172	wmic.exe
Token: SeDebugPrivilege	1172	wmic.exe
Token: SeSystemEnvironmentPrivilege	1172	wmic.exe
Token: SeRemoteShutdownPrivilege	1172	wmic.exe
Token: SeUndockPrivilege	1172	wmic.exe
Token: SeManageVolumePrivilege	1172	wmic.exe
Token: 33	1172	wmic.exe
Token: 34	1172	wmic.exe
Token: 35	1172	wmic.exe
Token: 36	1172	wmic.exe
Token: SeIncreaseQuotaPrivilege	1172	wmic.exe
Token: SeSecurityPrivilege	1172	wmic.exe
Token: SeTakeOwnershipPrivilege	1172	wmic.exe
Token: SeLoadDriverPrivilege	1172	wmic.exe
Token: SeSystemProfilePrivilege	1172	wmic.exe
Token: SeSystemtimePrivilege	1172	wmic.exe
Token: SeProfSingleProcessPrivilege	1172	wmic.exe
Token: SeIncBasePriorityPrivilege	1172	wmic.exe
Token: SeCreatePagefilePrivilege	1172	wmic.exe
Token: SeBackupPrivilege	1172	wmic.exe
Token: SeRestorePrivilege	1172	wmic.exe
Token: SeShutdownPrivilege	1172	wmic.exe
Token: SeDebugPrivilege	1172	wmic.exe
Token: SeSystemEnvironmentPrivilege	1172	wmic.exe
Token: SeRemoteShutdownPrivilege	1172	wmic.exe
Token: SeUndockPrivilege	1172	wmic.exe
Token: SeManageVolumePrivilege	1172	wmic.exe
Token: 33	1172	wmic.exe
Token: 34	1172	wmic.exe
Token: 35	1172	wmic.exe
Token: 36	1172	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1172	4400	FlireExecutorV.1.exe	87
PID 4400 wrote to memory of 1172	4400	FlireExecutorV.1.exe	87

C:\Users\Admin\AppData\Local\Temp\FlireExecutorV.1.exe
"C:\Users\Admin\AppData\Local\Temp\FlireExecutorV.1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4400-0-0x00007FFC474B3000-0x00007FFC474B5000-memory.dmp

Filesize
8KB

Download
memory/4400-1-0x000001FEB23E0000-0x000001FEB2426000-memory.dmp

Filesize
280KB

Download
memory/4400-2-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

Filesize
10.8MB

Download
memory/4400-4-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

Filesize
10.8MB

Download