MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba744148ffbb3a1489f887660918fd7746928834f3db79e30cb7919000469a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


UmbralStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba744148ffbb3a1489f887660918fd7746928834f3db79e30cb7919000469a7
SHA3-384 hash: a5a8423010232a130ef29b0ba9aeb6f8f462b912881c9c0e65de048694032fb403cff974952ea5423e19860892d68135
SHA1 hash: 29c8671f67c2603444189d90bb4fac99a363948d
MD5 hash: 66a30754bd84a3029e6cb6534e4a6662
humanhash: mike-magnesium-victor-fruit
File name:jnbndzimageloggerv1.0Setup.exe.bin
Download: download sample
Signature UmbralStealer
Create hunting rule
File size:1'770'496 bytes
First seen:2025-03-19 12:03:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'861 x AgentTesla, 19'793 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 49152:3mw0ZW7nz1b+vTlN4QCKWP8UEmt2pR+2ChEGnn7TMiA9Nu:2w0Q75yrlOxKDOf2YEWMiA/
Threatray 105 similar samples on MalwareBazaar
TLSH T1FF853315398A981BCBE680FF691CEF7D3194B2498ED5DF19DC766BBCC9AC5180648E00
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter KatzenTech
Tags:exe UmbralStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
jnbndzimageloggerv1.0Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-03-18 20:58:26 UTC
Tags:
evasion stealer autorun-startup umbralstealer discord exfiltration discordgrabber generic divulgestealer umbral ims-api
Link:
https://app.any.run/tasks/086b03ac-b427-4fb7-a10a-72a2e94012d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.Quasar.1.12816.4917.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d9de71194f23322a70e40a
Tags:
vmdetect delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Changing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67dab2c90a7899f3579dde2e/reports/2ce91604-1a87-4572-8866-5f917e220443/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/1ba744148ffbb3a1489f887660918fd7746928834f3db79e30cb7919000469a7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sharp Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f07cf0e-f338-4abc-914c-998b171896ab
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1642987
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1642987 Sample: jnbndzimageloggerv1.0Setup.... Startdate: 19/03/2025 Architecture: WINDOWS Score: 76 63 ip-api.com 2->63 65 discord.com 2->65 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 15 other signatures 2->77 9 jnbndzimageloggerv1.0Setup.exe.bin.exe 6 2->9         started        signatures3 process4 file5 49 C:\Users\user\...\jnbndz img loggav1.exe, PE32 9->49 dropped 51 C:\Users\user\...\Required Dependencies.exe, PE32 9->51 dropped 53 jnbndzimageloggerv...tup.exe.bin.exe.log, ASCII 9->53 dropped 83 Found many strings related to Crypto-Wallets (likely being stolen) 9->83 13 Required Dependencies.exe 15 11 9->13         started        18 jnbndz img loggav1.exe 17 9->18         started        signatures6 process7 dnsIp8 67 ip-api.com 208.95.112.1, 49720, 49726, 80 TUT-ASUS United States 13->67 69 discord.com 162.159.128.233, 443, 49727, 49728 CLOUDFLARENETUS United States 13->69 55 C:\ProgramData\Microsoft\...\i74kv.scr, PE32 13->55 dropped 57 C:\Windows\System32\drivers\etc\hosts, ASCII 13->57 dropped 85 Suspicious powershell command line found 13->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 13->87 89 Tries to harvest and steal browser information (history, passwords, etc) 13->89 91 3 other signatures 13->91 20 powershell.exe 23 13->20         started        23 cmd.exe 13->23         started        25 WMIC.exe 1 13->25         started        29 9 other processes 13->29 59 C:\...\jnbndz img logga v1.exe, PE32+ 18->59 dropped 61 C:\...\jnbndz img logga v1.dll, PE32 18->61 dropped 27 jnbndz img logga v1.exe 18->27         started        file9 signatures10 process11 signatures12 79 Loading BitLocker PowerShell Module 20->79 31 conhost.exe 20->31         started        33 WmiPrvSE.exe 20->33         started        81 Uses ping.exe to check the status of other devices and networks 23->81 45 2 other processes 23->45 35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        47 6 other processes 29->47 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ba744148ffbb3a1489f887660918fd7746928834f3db79e30cb7919000469a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ba744148ffbb3a1489f887660918fd7746928834f3db79e30cb7919000469a7/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 20:58:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dotuifep7oz2cse7rb3gbemp252gskedj463phrqzn4rsaaengtq._file
Verdict:
malicious
Label(s):
umbral
Create hunting rule
Similar samples:
06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
UmbralStealer
0933217d8ea84d9341154ecc34a3f231cf2ff0e70d67dbe190265c7e26b96cfb
UmbralStealer
5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
UmbralStealer
5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
UmbralStealer
ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8
UmbralStealer
ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a
UmbralStealer
error
UmbralStealer
f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0
UmbralStealer
+ 95 additional samples on MalwareBazaar
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:umbral discovery stealer
Link:
https://tria.ge/reports/250319-n8rtwaznv2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Umbral payload
Umbral
Umbral family
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1351626711850291220/7JZiwN3yNNwA-M7kc_Nw0PXFmSS6NbWVcxdqtefukH6WSSKsi1bPARiBYn164jeatma6
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/a0dd8e9d-9333-474c-b0e8-2993bce3b19a
Unpacked files
SH256 hash:
e2c77dc0d8c06d66e93fa8d072534733d3a3bd286130dbc71b0d0723338b230e
MD5 hash:
63e56d3e01f3a648d86ef64e048ea1dc
SHA1 hash:
2dc09b8760b587587c9c04c04cbc0181d97fc073
Link:
https://www.unpac.me/results/64c69874-667b-40df-8b28-8eed1671f6dc/
SH256 hash:
1d350ac7d39eaddf0c9f5e227c50a8be97c5e1d8041ebc187b7dd27b61ab2ac6
MD5 hash:
cc6bdfb2cbc01b3023a608d5ad462782
SHA1 hash:
5d7c6b34345a50fad02a6aba2a6c4806a224d8b2
Detections:
UmbralStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
MALWARE_Win_UmbralStealer
Create hunting rule
Link:
https://www.unpac.me/results/64c69874-667b-40df-8b28-8eed1671f6dc/
SH256 hash:
1ba744148ffbb3a1489f887660918fd7746928834f3db79e30cb7919000469a7
MD5 hash:
66a30754bd84a3029e6cb6534e4a6662
SHA1 hash:
29c8671f67c2603444189d90bb4fac99a363948d
Link:
https://www.unpac.me/results/64c69874-667b-40df-8b28-8eed1671f6dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba744148ffb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments