umbral | 3d5619f53fac5d324a867e69fd61c51a54ad1d3d28a998f3b85f78598703dcac | Triage

Sharing

General

Target

download.exe_
Size

290KB
Sample

250324-tw3y9sswgv
MD5

244360e3e1f45bf12f428ea3846d2b8a
SHA1

188e9b7018e2dac9beb3b2bfdbeae98dfb9e9978
SHA256

3d5619f53fac5d324a867e69fd61c51a54ad1d3d28a998f3b85f78598703dcac
SHA512

65157507e439c91b8b67c895f962d8e780cfaf8638bd4827cac72abc06b7cbd613373193782c55f58b377d85bc545f2bcd11e4b0c22e677f162bb34d772203ab
SSDEEP

6144:Fuq1IOhVlGyWxgf4w+EowI7kwC6Snw8d9:Fuq1IMlGynfd+EAjC6Swi

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Targets

- Target
  
  download.exe_
- Size
  
  290KB
- MD5
  
  244360e3e1f45bf12f428ea3846d2b8a
- SHA1
  
  188e9b7018e2dac9beb3b2bfdbeae98dfb9e9978
- SHA256
  
  3d5619f53fac5d324a867e69fd61c51a54ad1d3d28a998f3b85f78598703dcac
- SHA512
  
  65157507e439c91b8b67c895f962d8e780cfaf8638bd4827cac72abc06b7cbd613373193782c55f58b377d85bc545f2bcd11e4b0c22e677f162bb34d772203ab
- SSDEEP
  
  6144:Fuq1IOhVlGyWxgf4w+EowI7kwC6Snw8d9:Fuq1IMlGynfd+EAjC6Swi
Score

10^/10

discovery umbral execution spyware stealer
- Detect Umbral payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

umbraldiscoveryexecutionspywarestealer