umbral | 5a1dfadc21abdb14962162b1f82b57da371f86baddf890420b252f821dff2699 | Triage

Sharing

General

Target

GTAKiddionsModdestMenu.exe
Size

760KB
Sample

250415-hvbb3stvgy
MD5

eb423c6dc0da5974cb5dbbc694cdeb04
SHA1

cd0a59826f3283d611ec033235fbbe2fc8f127b7
SHA256

5a1dfadc21abdb14962162b1f82b57da371f86baddf890420b252f821dff2699
SHA512

f8fb1a032a44d809aff2d42a776978e9dc99117f20654aee3c51565378de0ba790995925934aa72787799aff29666c2da9dd655c9c400af3509a9f8209616e87
SSDEEP

12288:5jH1hK3ikszq3iNWu6GQzR2ERfm/L5ZQinoF0jJJ3HeCSCwaAt:5T1h+i1myNWujo++

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Targets

- Target
  
  GTAKiddionsModdestMenu.exe
- Size
  
  760KB
- MD5
  
  eb423c6dc0da5974cb5dbbc694cdeb04
- SHA1
  
  cd0a59826f3283d611ec033235fbbe2fc8f127b7
- SHA256
  
  5a1dfadc21abdb14962162b1f82b57da371f86baddf890420b252f821dff2699
- SHA512
  
  f8fb1a032a44d809aff2d42a776978e9dc99117f20654aee3c51565378de0ba790995925934aa72787799aff29666c2da9dd655c9c400af3509a9f8209616e87
- SSDEEP
  
  12288:5jH1hK3ikszq3iNWu6GQzR2ERfm/L5ZQinoF0jJJ3HeCSCwaAt:5T1h+i1myNWujo++
Score

10^/10

umbral discovery execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

umbraldiscoveryexecutionspywarestealer