MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

UmbralStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01
SHA3-384 hash:	c5028e5d92a4b651e8f1831d9edd574b4d7c273e16d2890960368c2a0d58fc56f35a4ef52b0c0f304f0b8dd79fa0a0d1
SHA1 hash:	48bc5432f34dbf68c04c318c7357414e0942d1d9
MD5 hash:	dc72763ca5e65f620ec67634130977c7
humanhash:	low-hot-iowa-diet
File name:	XXXXXXXXXXXX.bat
Download:	download sample
Signature	UmbralStealer Create hunting rule
File size:	572'570 bytes
First seen:	2025-12-31 20:37:15 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	12288:015wM8nPYiFSCf9fdA0syka8CT/ZeJm/Aj0Vhgo+:01wnDFSeW0s/cTyCAQV+
Threatray	2'327 similar samples on MalwareBazaar
TLSH	T194C4F1062BD83ED7407BF71CD42F5407068E05694811EBAC40AA7749F7EB2A49AABCDD
Magika	batch
Reporter	BastianHein
Tags:	bat UmbralStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

XXXXXXXXXXXX.bat

Verdict:

Malicious activity

Analysis date:

2025-12-31 18:34:37 UTC

Tags:

anti-evasion evasion discord exfiltration stealer auto heodo botnet confuser umbral generic divulgestealer

Link:

https://app.any.run/tasks/0188147b-7576-46f3-a6da-4916623e9c0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46708/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69556cbcd2357cccc3de3ff0

Tags:

ransomware shell sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt evasive obfuscated powershell powershell

Link:

https://www.filescan.io/uploads/695589b22fb7bb52ca83a9e2/reports/624d8e82-9f41-4f3b-8c77-a8190ed95bc0/overview

Verdict:

Malicious

Labled as:

TrojanDropper/BAT.Agent

Link:

https://www.hybrid-analysis.com/sample/288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-31T15:38:00Z UTC

Last seen:

2026-01-02T08:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.PowerShell.Agent.gen HEUR:Trojan.BAT.Obfus.gen

Link:

https://opentip.kaspersky.com/288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01/

Verdict:

Malicious

Threat:

Family.UMBRAL

Link:

https://tip.neiki.dev/file/288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01

Threat name:

Script-BAT.Backdoor.Quasar

Status:

Malicious

First seen:

2025-12-31 18:34:39 UTC

File Type:

Text (PowerShell)

AV detection:

7 of 38 (18.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fcg5zuh2avnxgzkuhnuq2zuj35r4zoc4astnuvnmks4bh65xfuaq._file

Verdict:

malicious

Label(s):

umbral

UmbralStealer

494aa7780051dd4e03f40ea2b87c9bb548716ddac19c6a2ccc5d0274faaa9911

UmbralStealer

9daf3c5450c0f2ec79d68c817d5bdcdf0f8b0daafc79714e673eab04acf3bc44

UmbralStealer

b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8

UmbralStealer

c6ff62032c39ff25b2171f16b6bc9caa9d0f9b3a2e733899ffc78c628c788a76

UmbralStealer

cd38ac659e7c2d3ad28705c52c281983b28f4683e81bd61f3ba166b7c61cbc74

UmbralStealer

error

UmbralStealer

+ 2'317 additional samples on MalwareBazaar

Result

Malware family:

umbral

Score:

10/10

Tags:

family:umbral defense_evasion discovery execution exploit ransomware spyware stealer

Link:

https://tria.ge/reports/260106-n4631a1pgz/

Behaviour

Detects videocard installed

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

System Network Configuration Discovery: Internet Connection Discovery

ConfuserEx .NET packer

Sets desktop wallpaper using registry

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Disables automatic submission of suspicious files to Microsoft by Windows Defender

Executes dropped EXE

Modifies file permissions

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Disables one or more Microsoft Defender components

Possible privilege escalation attempt

Detects Umbral payload

Umbral

Umbral family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/288ddcd0fa055b7365543b690d6689df63ccb85c04a6da55ac54b813fbb72d01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/46708/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample