MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

UmbralStealer

Vendor detections: 20

Intelligence 20 IOCs YARA 15 File information Comments

SHA256 hash:	234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8
SHA3-384 hash:	eea5d5f43521351899c35687f76425f74988ff3192f11115c0eb2e0117708167514a44a078d92bab839ac47ccbfd241c
SHA1 hash:	946eadd0bb167843dac95517d93c8b201679aaa7
MD5 hash:	08a2567e1caa3b15b18683236ae30223
humanhash:	jersey-july-louisiana-lamp
File name:	LadraoCHEAT.exe
Download:	download sample
Signature	UmbralStealer Create hunting rule
File size:	236'544 bytes
First seen:	2025-09-14 11:15:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:xloZM+rIkd8g+EtXHkv/iD4kjY4xfEY3Mmfh8IteftB48e1mx1i:DoZtL+EP8IY4xfEY3Mmfh8ItwAYc
TLSH	T131346C1837BCCB16E25F8BBED6B1149F8771F103E90AF78E1C8895E82451B42E949E53
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	burger
Tags:	exe UmbralStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://gofile.io/d/LfmmZC

Verdict:

Malicious activity

Analysis date:

2025-09-14 04:45:59 UTC

Tags:

arch-exec evasion anti-evasion stealer umbralstealer discord exfiltration generic divulgestealer umbral ims-api

Link:

https://app.any.run/tasks/eb82ed9a-246a-4415-b292-8491e8c0f879

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

UmbralStealer

Link:

https://www.capesandbox.com/analysis/27412/

Detection(s):

Win.Packed.Msilzilla-9952790-0

Win.Packed.Msilzilla-9955952-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c6a39ed49ea3f1e4b58b6a

Tags:

vmdetect

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm fingerprint hacktool obfuscated obfuscated obfuscated rat threat

Link:

https://www.filescan.io/uploads/68c6a42cdbc6f5a29c443e15/reports/8512ece1-0cc7-4c96-bad9-8aa6641320c7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-14T08:17:00Z UTC

Last seen:

2025-09-14T08:17:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.MSIL.Umbral.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan.MSIL.Dizemp.gen

Link:

https://opentip.kaspersky.com/234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8/results?tab=lookup

Malware family:

Sharp Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/68a62452-169b-44b1-9bca-eae051d91d70

Result

Threat name:

Blank Grabber, Umbral Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1777222

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Umbral Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.53 Win 32 Exe x86

Link:

https://app.malva.re/file/08a2567e1caa3b15b18683236ae30223

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8/

Verdict:

Malicious

Threat:

Family.UMBRAL

Link:

https://tip.neiki.dev/file/234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8

Threat name:

ByteCode-MSIL.Trojan.UmbralStealer

Status:

Malicious

First seen:

2025-09-14 11:14:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eng24zarwcrm5oalhmxvkkw4nh424nuymqtzyw3bchlseu2lcp4a._file

Verdict:

malicious

Label(s):

umbral

Similar samples:

error

UmbralStealer

Result

Malware family:

umbral

Score:

10/10

Tags:

family:umbral stealer

Link:

https://tria.ge/reports/250914-ndlpdasl12/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Detects Umbral payload

Umbral

Umbral family

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1416610938534236200/_SqneXRW84-XyCk7JnnZp8Qm8R7p77lGPNtNkjIbpI3WyrHfT6Z4_umndSkFMkkvD2Fj

Verdict:

Malicious

Tags:

stealer umbral Win.Packed.Msilzilla-9952790-0

YARA:

MALWARE_Win_Umbralstealer

Link:

https://app.threat.zone/submission/1182e327-7a2b-4f29-944d-1f6d9380758a

Unpacked files

SH256 hash:

234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8

MD5 hash:

08a2567e1caa3b15b18683236ae30223

SHA1 hash:

946eadd0bb167843dac95517d93c8b201679aaa7

Detections:

UmbralStealer

Link:

https://www.unpac.me/results/b9af1cf1-21af-48a5-abf2-8f102c143914/

Malware family:

UmbralStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/234dae6411b0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/234dae6411b0a2ceb80b3b2f552adc69f9ae369864279c5b6111d722534b13f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM names

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox system UUIDs

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MALWARE_Win_UmbralStealer Create hunting rule
Author:	ditekShen
Description:	Detects Umbral infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	UmbrealStealerEXIFData Create hunting rule
Author:	adm1n_usa32
Description:	Detects UmbralStealer by obvious comment in EXIF Data

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/27412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample