umbral | 8a5df02a019f735361db01e5236473ef17cbbcb4843d2fd9f1d35fb6056a2333 | Triage

Sharing

General

Target

tempfixed.exe
Size

945KB
Sample

250412-vd9jrsyls2
MD5

643ea9f09b2a1569d837e3ed4df1cde3
SHA1

49cfb0d2624c1e21505f29ccb3dd84fe760f36bf
SHA256

8a5df02a019f735361db01e5236473ef17cbbcb4843d2fd9f1d35fb6056a2333
SHA512

8a46f9d86486acbed1ab277bcb730693c215e2932f84a512d327bda77cd539bcd48d119278817439c4d4762d0ca83de94c05dd242cb59d478fbc9eb4f0a0241c
SSDEEP

24576:f+rGtLxxYkWKYqJYmbb0bxpi2OsDVp2f0/NLTq+avT4BcCi:WGtDYkWezvYxZpp2f0/NLTq+avT4BcCi

Score

10^/10

umbral execution persistence privilege_escalation spyware stealer

Malware Config

Targets

- Target
  
  tempfixed.exe
- Size
  
  945KB
- MD5
  
  643ea9f09b2a1569d837e3ed4df1cde3
- SHA1
  
  49cfb0d2624c1e21505f29ccb3dd84fe760f36bf
- SHA256
  
  8a5df02a019f735361db01e5236473ef17cbbcb4843d2fd9f1d35fb6056a2333
- SHA512
  
  8a46f9d86486acbed1ab277bcb730693c215e2932f84a512d327bda77cd539bcd48d119278817439c4d4762d0ca83de94c05dd242cb59d478fbc9eb4f0a0241c
- SSDEEP
  
  24576:f+rGtLxxYkWKYqJYmbb0bxpi2OsDVp2f0/NLTq+avT4BcCi:WGtDYkWezvYxZpp2f0/NLTq+avT4BcCi
Score

10^/10

umbral execution persistence privilege_escalation spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbralexecutionpersistenceprivilege_escalationspywarestealer