MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

UmbralStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 3 File information Comments

SHA256 hash:	25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6
SHA3-384 hash:	772fae5cd278fdca0e911c5c4a6bf919f80b50b41075f0b314a2066bf35493fbdbb5d42cbea6044a6cddf546f3915159
SHA1 hash:	22e666896afd2438b9b134d66504cdbf73c3490e
MD5 hash:	b9e1d6ef476dbdd073763ad6a88d60d5
humanhash:	dakota-high-purple-april
File name:	TweakService.exe
Download:	download sample
Signature	UmbralStealer Create hunting rule
File size:	288'768 bytes
First seen:	2026-03-26 22:23:26 UTC
Last seen:	2026-03-26 23:25:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'855 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep	3072:RH7RXLbSSBaDqjH9xj35efxC7yJb3G07nTmi45JH6adgeVcYAKHjmtL35nN9QG3:RH7DBD9xjpMD5MvHBdgy9m3Dt
Threatray	291 similar samples on MalwareBazaar
TLSH	T15E54DF0BE2A08112F18E35F00B93CA701EF66D7D249B062769E17FEFBA3954D7895D06
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	4098822898c67031 (1 x UmbralStealer)
Reporter	BastianHein
Tags:	exe UmbralStealer

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder Umbral

Details

EvilCoder

extracted components, their filepaths, and possibly registry installation

Umbral

a Discord webhook, a version, a mutex, and varying boolean fields

Link:

https://research.acce.ciphertechsolutions.com/results/bf46322d-6d55-4f17-b4ff-6a135c2e7972/

Malware family:

n/a

ID:

File name:

TweakService.exe

Verdict:

Malicious activity

Analysis date:

2026-03-25 05:52:38 UTC

Tags:

anti-evasion evasion stealer umbralstealer discord exfiltration arch-doc

Link:

https://app.any.run/tasks/44a157e2-b4e5-47f0-ab33-a3b558deb3c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

UmbralStealer

Link:

https://www.capesandbox.com/analysis/59437/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop21.55508.6635.15779.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c37826390b996474138210

Tags:

vmdetect

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Creating a window

DNS request

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a process

Connection attempt

Unauthorized injection to a recently created process

Verdict:

Malicious

Labled as:

MSIL.Cassiopeia.Generic

Link:

https://www.hybrid-analysis.com/sample/25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-03-25T02:57:00Z UTC

Last seen:

2026-03-28T05:25:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-Spy.MSIL.Stealer.gen HEUR:Trojan-Dropper.MSIL.Agent.gen Trojan-PSW.MSIL.Umbral.sb Trojan-PSW.MSIL.Umbral.ii Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Umbral.gen HEUR:Trojan.MSIL.Exnet.gen

Link:

https://opentip.kaspersky.com/25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6/results?tab=lookup

Malware family:

Sharp Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/805c6e23-f3bd-489b-90e2-7b159131ed78

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86

Link:

https://app.malva.re/file/b9e1d6ef476dbdd073763ad6a88d60d5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6/

Verdict:

Malicious

Threat:

Family.UMBRALSTEALER

Link:

https://tip.neiki.dev/file/25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6

Threat name:

ByteCode-MSIL.Trojan.Cassiopeia

Status:

Malicious

First seen:

2026-03-25 05:52:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=evke7rrfsfgs4xh7akuljqu6xrgtaukrxtvok6whikwyuyhprsta._file

Verdict:

malicious

Label(s):

umbralstealer

unc_loader_063

UmbralStealer

19130e674d477a13cba71e486128954ed3bc031a7e49cc95ee6cf9fb3b8616fe

UmbralStealer

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4

UmbralStealer

401df4dab08113b4398b62f431ba6776e9574d611d1f9f18f72a9fd5cb2f0838

UmbralStealer

494aa7780051dd4e03f40ea2b87c9bb548716ddac19c6a2ccc5d0274faaa9911

UmbralStealer

error

UmbralStealer

+ 281 additional samples on MalwareBazaar

Result

Malware family:

umbral

Score:

10/10

Tags:

family:umbral persistence privilege_escalation ransomware stealer

Link:

https://tria.ge/reports/260326-2bfl8sfs8r/

Behaviour

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Looks up external IP address via web service

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Modifies system executable filetype association

Detects Umbral payload

Umbral

Umbral family

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1486034224719990898/cdIsqZlxD5Dax8_ev5spNqv6MklKOUY01nv4-tDjdpvImzxZFZs3M0RMJn-xD9C5qA3X

Unpacked files

SH256 hash:

25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6

MD5 hash:

b9e1d6ef476dbdd073763ad6a88d60d5

SHA1 hash:

22e666896afd2438b9b134d66504cdbf73c3490e

Link:

https://www.unpac.me/results/ccea1be4-9ec7-466c-8608-0cd8b471ae10/

SH256 hash:

a4ecaf0d14617484d32af52574b288195323091ca3746d453f6947060e99593b

MD5 hash:

d672e07f62793a35ea3fc9572eda2682

SHA1 hash:

1612e2c7f569dad2cc1566418d17504ff381e519

Link:

https://www.unpac.me/results/ccea1be4-9ec7-466c-8608-0cd8b471ae10/

SH256 hash:

1ffa757d435940fcbfa3d463017289501b560fa5cab0539366586977a966f8a0

MD5 hash:

09e2581ef363cf7a9e55ccaa10730cdc

SHA1 hash:

19730a9a670600a529a2b77f30b458e4d94a5616

Detections:

UmbralStealer

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

MALWARE_Win_UmbralStealer

Link:

https://www.unpac.me/results/ccea1be4-9ec7-466c-8608-0cd8b471ae10/

Malware family:

UmbralStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/25544fc62591/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/25544fc625914d2e5cff02a8b4c29ebc4d305151bceae57ac742ad8a60ef8ca6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/59437/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample