umbral | 525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

Analysis

max time kernel
107s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe
Size

229KB
MD5

c43fa6e8e418363f5b9bd2bac94e03ac
SHA1

4e557326d845f150c37e71d23f2e816942f6f53c
SHA256

6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867
SHA512

1535626a7d98e33546f04623c7a405ded146a273422934d47c15f6862dc988212776b27270cf25434704dbf31a22dea5049e0b735b1861645e54510aa1f103ac
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4qCslEKtFucr20VJgqAb8e1mND8i:noZtL+EP8qCslEKtFucr20VJgDYx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral10/memory/3460-1-0x0000020D3E9E0000-0x0000020D3EA20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe
Token: SeIncreaseQuotaPrivilege	4064	wmic.exe
Token: SeSecurityPrivilege	4064	wmic.exe
Token: SeTakeOwnershipPrivilege	4064	wmic.exe
Token: SeLoadDriverPrivilege	4064	wmic.exe
Token: SeSystemProfilePrivilege	4064	wmic.exe
Token: SeSystemtimePrivilege	4064	wmic.exe
Token: SeProfSingleProcessPrivilege	4064	wmic.exe
Token: SeIncBasePriorityPrivilege	4064	wmic.exe
Token: SeCreatePagefilePrivilege	4064	wmic.exe
Token: SeBackupPrivilege	4064	wmic.exe
Token: SeRestorePrivilege	4064	wmic.exe
Token: SeShutdownPrivilege	4064	wmic.exe
Token: SeDebugPrivilege	4064	wmic.exe
Token: SeSystemEnvironmentPrivilege	4064	wmic.exe
Token: SeRemoteShutdownPrivilege	4064	wmic.exe
Token: SeUndockPrivilege	4064	wmic.exe
Token: SeManageVolumePrivilege	4064	wmic.exe
Token: 33	4064	wmic.exe
Token: 34	4064	wmic.exe
Token: 35	4064	wmic.exe
Token: 36	4064	wmic.exe
Token: SeIncreaseQuotaPrivilege	4064	wmic.exe
Token: SeSecurityPrivilege	4064	wmic.exe
Token: SeTakeOwnershipPrivilege	4064	wmic.exe
Token: SeLoadDriverPrivilege	4064	wmic.exe
Token: SeSystemProfilePrivilege	4064	wmic.exe
Token: SeSystemtimePrivilege	4064	wmic.exe
Token: SeProfSingleProcessPrivilege	4064	wmic.exe
Token: SeIncBasePriorityPrivilege	4064	wmic.exe
Token: SeCreatePagefilePrivilege	4064	wmic.exe
Token: SeBackupPrivilege	4064	wmic.exe
Token: SeRestorePrivilege	4064	wmic.exe
Token: SeShutdownPrivilege	4064	wmic.exe
Token: SeDebugPrivilege	4064	wmic.exe
Token: SeSystemEnvironmentPrivilege	4064	wmic.exe
Token: SeRemoteShutdownPrivilege	4064	wmic.exe
Token: SeUndockPrivilege	4064	wmic.exe
Token: SeManageVolumePrivilege	4064	wmic.exe
Token: 33	4064	wmic.exe
Token: 34	4064	wmic.exe
Token: 35	4064	wmic.exe
Token: 36	4064	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4064	3460	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe	88
PID 3460 wrote to memory of 4064	3460	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe	88

C:\Users\Admin\AppData\Local\Temp\6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe
"C:\Users\Admin\AppData\Local\Temp\6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-0-0x00007FFE97B53000-0x00007FFE97B55000-memory.dmp

Filesize
8KB

Download
memory/3460-1-0x0000020D3E9E0000-0x0000020D3EA20000-memory.dmp

Filesize
256KB

Download
memory/3460-2-0x00007FFE97B50000-0x00007FFE98611000-memory.dmp

Filesize
10.8MB

Download
memory/3460-4-0x00007FFE97B50000-0x00007FFE98611000-memory.dmp

Filesize
10.8MB

Download