MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


UmbralStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
SHA3-384 hash: 723451ed439e8147d2ac77a23e8f379ee5bf7550b75b2a267d2bb637cc6902720657dfc108874a74ed730b1fc57c5635
SHA1 hash: 1b863031e8556e48fa63d233b768148d87dda7c4
MD5 hash: 2290a5c6cfd6f8bd2e3ad188e7eafa05
humanhash: king-tennessee-autumn-carpet
File name:Extreme Injector v3.exe
Download: download sample
Signature UmbralStealer
Create hunting rule
File size:1'473'536 bytes
First seen:2025-01-19 14:34:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:PAOmi5Vm+lBnehvY2iPr93CeF1LH1Xt5QezP9tHtR9JSWmsMrlA18VnZAWQvKsoe:E4FdetMVCK1LVXXQezP3+Wgm18VeWouS
TLSH T1ED65332472AECD52C00E0EB2471273771F36B7BDA9B60B2A8F1837564D17839299C56F
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 58d8b26340809adc (7 x DCRat, 2 x XWorm, 1 x AsyncRAT)
Reporter aachum
Tags:exe UmbralStealer


Avatar
iamaachum
https://www.youtube.com/watch?v=RcmZtlojvY8 => https://mega.nz/file/PyQCFRjb#gWC1r5P2W9quza2BZ8bjjsMq9xBtuMuoYdcxcL3_PgQ

Umbral C2: https://discord.com/api/webhooks/1330303031618834494/9EbwLYdGRckxpwmC1x4tuNXcnptDOj3OQ10dKAGSqevucBbQ362A75MKfWoz9gAFomh6

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e2c31e708b6e7a3ad849a
Tags:
vmdetect autorun umbra
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Enabling the 'hidden' option for files in the %temp% directory
Searching for synchronization primitives
Sending an HTTP GET request
Running batch commands
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Changing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/678d0d9a2d219e36112b103c/reports/9e2acbf8-c553-4eeb-bf76-44403cfd37a7/overview
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sharp Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c0d7d05-01b4-4437-b3f0-2869daceebba
Result
Threat name:
Blank Grabber, Umbral Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1594625
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Yara detected Blank Grabber
Yara detected Generic Downloader
Yara detected Umbral Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594625 Sample: Extreme Injector v3.exe Startdate: 19/01/2025 Architecture: WINDOWS Score: 100 57 raw.githubusercontent.com 2->57 59 ip-api.com 2->59 61 discord.com 2->61 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 20 other signatures 2->75 9 Extreme Injector v3.exe 4 2->9         started        signatures3 process4 file5 47 C:\Users\user\...xtreme Injector.exe, PE32 9->47 dropped 49 C:\Users\user\...xtreme Injector v3.exe, PE32 9->49 dropped 51 C:\Users\user\...xtreme Injector v3.exe.log, CSV 9->51 dropped 81 Found many strings related to Crypto-Wallets (likely being stolen) 9->81 13 Extreme Injector.exe 15 15 9->13         started        18 Extreme Injector v3.exe 14 3 9->18         started        signatures6 process7 dnsIp8 63 ip-api.com 208.95.112.1, 49894, 80 TUT-ASUS United States 13->63 65 discord.com 162.159.136.232, 443, 49985, 49986 CLOUDFLARENETUS United States 13->65 53 C:\ProgramData\Microsoft\...\PLERX.scr, PE32 13->53 dropped 55 C:\Windows\System32\drivers\etc\hosts, ASCII 13->55 dropped 83 Suspicious powershell command line found 13->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 13->85 87 Tries to harvest and steal browser information (history, passwords, etc) 13->87 89 3 other signatures 13->89 20 powershell.exe 13->20         started        23 cmd.exe 13->23         started        25 attrib.exe 13->25         started        27 8 other processes 13->27 67 raw.githubusercontent.com 185.199.111.133, 443, 49705 FASTLYUS Netherlands 18->67 file9 signatures10 process11 signatures12 77 Loading BitLocker PowerShell Module 20->77 29 conhost.exe 20->29         started        31 WmiPrvSE.exe 20->31         started        79 Uses ping.exe to check the status of other devices and networks 23->79 33 conhost.exe 23->33         started        35 PING.EXE 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        43 conhost.exe 27->43         started        45 5 other processes 27->45 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-01-19 14:35:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyow7q3beiriiwdocm7bkj4xmupm3zrjvqzeht2h3os26h5eypga._file
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:umbral discovery execution spyware stealer
Link:
https://tria.ge/reports/250119-rxzxwssmar/
Behaviour
Detects videocard installed
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Detect Umbral payload
Umbral
Umbral family
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1330303031618834494/9EbwLYdGRckxpwmC1x4tuNXcnptDOj3OQ10dKAGSqevucBbQ362A75MKfWoz9gAFomh6
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eff11392-48a9-44d2-be7e-459198cc279b
Unpacked files
SH256 hash:
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
MD5 hash:
ec801a7d4b72a288ec6c207bb9ff0131
SHA1 hash:
32eec2ae1f9e201516fa7fcdc16c4928f7997561
Detections:
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Goliath
Create hunting rule
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4e406c66-513d-47fc-865d-553d2449ddc2/
Parent samples :
c332bac5bfa6b4e806dbe65ff8b4041c7d931e6709349218f361437e1ae52c2f
261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
709f5ad2bad14a2c881948f0ddb7b7f67e1b91ef981541f735c6a90e34c566fb
1691f0ab36468cfed1f7ebead04c3b46c11c4d8614aed53ff7060e7e7d669a4c
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f
4e57af02f430ffdacb81b8b597b251bac12de9c0703fb5325411dc83ca8d8e11
SH256 hash:
8b30696e9259851325272d57b9452ac2f6037231f1c6895658efb57e0445d064
MD5 hash:
7d4400842d0ded3544bc7892c765816d
SHA1 hash:
c5a12688240f8db93e7482d16d145802445bfd71
Detections:
UmbralStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
MALWARE_Win_UmbralStealer
Create hunting rule
Link:
https://www.unpac.me/results/4e406c66-513d-47fc-865d-553d2449ddc2/
SH256 hash:
261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
MD5 hash:
2290a5c6cfd6f8bd2e3ad188e7eafa05
SHA1 hash:
1b863031e8556e48fa63d233b768148d87dda7c4
Link:
https://www.unpac.me/results/4e406c66-513d-47fc-865d-553d2449ddc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

UmbralStealer

Executable exe 261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc

(this sample)

  
Link
https://tria.ge/250119-rkagga1qck/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments