umbral | c59ef7d6d7af7d2196cf240b6a553ffa9754c11b4c17c0e99a6fe2d04ea0bfda

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-02-2025 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ID TOLL HAKER.exe
Size

230KB
MD5

1b8e46d407820787a4dccb0d0922788c
SHA1

de5efbaca828296b631a23a0ae7b3059aa006e95
SHA256

c59ef7d6d7af7d2196cf240b6a553ffa9754c11b4c17c0e99a6fe2d04ea0bfda
SHA512

3ec56097228028455183907f95251a183acdd8ad7f9df872d8e1f4bfaab0f10bbe3304d7fccc5640fc5f1e0a79710290a91af20fffc526afdaaa21e2a8809dac
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4z2/uAmB5Ky/Cwhl0vRb8e1mii:noZtL+EP8z2/uAmB5Ky/Cwhl0B8

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2004-1-0x0000000000B30000-0x0000000000B70000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	ID TOLL HAKER.exe
Token: SeIncreaseQuotaPrivilege	2372	wmic.exe
Token: SeSecurityPrivilege	2372	wmic.exe
Token: SeTakeOwnershipPrivilege	2372	wmic.exe
Token: SeLoadDriverPrivilege	2372	wmic.exe
Token: SeSystemProfilePrivilege	2372	wmic.exe
Token: SeSystemtimePrivilege	2372	wmic.exe
Token: SeProfSingleProcessPrivilege	2372	wmic.exe
Token: SeIncBasePriorityPrivilege	2372	wmic.exe
Token: SeCreatePagefilePrivilege	2372	wmic.exe
Token: SeBackupPrivilege	2372	wmic.exe
Token: SeRestorePrivilege	2372	wmic.exe
Token: SeShutdownPrivilege	2372	wmic.exe
Token: SeDebugPrivilege	2372	wmic.exe
Token: SeSystemEnvironmentPrivilege	2372	wmic.exe
Token: SeRemoteShutdownPrivilege	2372	wmic.exe
Token: SeUndockPrivilege	2372	wmic.exe
Token: SeManageVolumePrivilege	2372	wmic.exe
Token: 33	2372	wmic.exe
Token: 34	2372	wmic.exe
Token: 35	2372	wmic.exe
Token: SeIncreaseQuotaPrivilege	2372	wmic.exe
Token: SeSecurityPrivilege	2372	wmic.exe
Token: SeTakeOwnershipPrivilege	2372	wmic.exe
Token: SeLoadDriverPrivilege	2372	wmic.exe
Token: SeSystemProfilePrivilege	2372	wmic.exe
Token: SeSystemtimePrivilege	2372	wmic.exe
Token: SeProfSingleProcessPrivilege	2372	wmic.exe
Token: SeIncBasePriorityPrivilege	2372	wmic.exe
Token: SeCreatePagefilePrivilege	2372	wmic.exe
Token: SeBackupPrivilege	2372	wmic.exe
Token: SeRestorePrivilege	2372	wmic.exe
Token: SeShutdownPrivilege	2372	wmic.exe
Token: SeDebugPrivilege	2372	wmic.exe
Token: SeSystemEnvironmentPrivilege	2372	wmic.exe
Token: SeRemoteShutdownPrivilege	2372	wmic.exe
Token: SeUndockPrivilege	2372	wmic.exe
Token: SeManageVolumePrivilege	2372	wmic.exe
Token: 33	2372	wmic.exe
Token: 34	2372	wmic.exe
Token: 35	2372	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2372	2004	ID TOLL HAKER.exe	30
PID 2004 wrote to memory of 2372	2004	ID TOLL HAKER.exe	30
PID 2004 wrote to memory of 2372	2004	ID TOLL HAKER.exe	30

C:\Users\Admin\AppData\Local\Temp\ID TOLL HAKER.exe
"C:\Users\Admin\AppData\Local\Temp\ID TOLL HAKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-0-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x0000000000B30000-0x0000000000B70000-memory.dmp

Filesize
256KB

Download
memory/2004-2-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-3-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download