umbral | 3b5953d3ea0420345b5c1e9efdbb88ea80bcaa99f2582834c2cd545efa84880c | Triage

Sharing

General

Target

nigga2.bat
Size

1KB
Sample

250323-2r256ssqs6
MD5

06aafbdb0650ecee01c1bdb6b7b51fdb
SHA1

ad8c1f0ca620d813ce8e3280139817db583f9c4e
SHA256

3b5953d3ea0420345b5c1e9efdbb88ea80bcaa99f2582834c2cd545efa84880c
SHA512

039a8ca7db486f7c473a07c22c4269c211fc44175d3fb480eeaf5435df23a70151927940b0bf6a7bbc29b12b1d9a84ab5240686e05cc9daae0d54920d2d84fb9

Score

10^/10

umbral defense_evasion execution spyware stealer trojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1346186242164916254/XSGGtSWs1IP-qhWb9F-7vKZ6AbJ1Ah-y8ACFyf9MRP2SkcfW16QzCkiWhzv0YmF7kEXM

Targets

- Target
  
  nigga2.bat
- Size
  
  1KB
- MD5
  
  06aafbdb0650ecee01c1bdb6b7b51fdb
- SHA1
  
  ad8c1f0ca620d813ce8e3280139817db583f9c4e
- SHA256
  
  3b5953d3ea0420345b5c1e9efdbb88ea80bcaa99f2582834c2cd545efa84880c
- SHA512
  
  039a8ca7db486f7c473a07c22c4269c211fc44175d3fb480eeaf5435df23a70151927940b0bf6a7bbc29b12b1d9a84ab5240686e05cc9daae0d54920d2d84fb9
Score

10^/10

defense_evasion execution trojan umbral spyware stealer
- Detect Umbral payload
- UAC bypass
  defense_evasion trojan
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasionexecutiontrojan

behavioral2

umbraldefense_evasionexecutionspywarestealertrojan