MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


UmbralStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
SHA3-384 hash: 436afc686863ccef27ccdd94f43babc1e9d61af97c8e9f7aecd44f92aaafc393efc8c35c08f197183cda0d81104ea53b
SHA1 hash: bc837ba36a8f244283483210215a11607f05fb63
MD5 hash: 4c8044c83f60465eae3cc16d7c858085
humanhash: illinois-crazy-hydrogen-equal
File name:resembleC2.exe
Download: download sample
Signature UmbralStealer
Create hunting rule
File size:131'072 bytes
First seen:2025-01-12 06:08:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'757 x AgentTesla, 19'665 x Formbook, 12'254 x SnakeKeylogger)
ssdeep 3072:oRt4KXzdjBFUxzV4NsFYGvL9JjyVcUuyTRc8R:q4gRjBF4SKFYMLbjxUBRc8
Threatray 97 similar samples on MalwareBazaar
TLSH T1B8D3128892D4C236CD5D8BBBD566A5644179F7579E2B2F2B0A3480FC8D0F246C2F79C2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter zhuzhu0009
Tags:exe UmbralStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
resembleC2.exe
Verdict:
Malicious activity
Analysis date:
2025-01-12 05:11:36 UTC
Tags:
evasion stealer umbralstealer arch-doc discord exfiltration
Link:
https://app.any.run/tasks/fc09f77d-17de-47b1-b352-79c81c80f880

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67834f062c8240e189bc00ae
Tags:
vmdetect autorun proxy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Enabling the 'hidden' option for files in the %temp% directory
Connection attempt to an infection source
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Changing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67835cbe607f66de0d48a62b/reports/9a0e2404-baa2-4ac6-a9d6-6a0be450c50f/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sharp Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b2bc7e2-93d3-4977-8b62-28f94cc31e56
Result
Threat name:
Blank Grabber, Umbral Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1589390
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Yara detected Blank Grabber
Yara detected Umbral Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589390 Sample: resembleC2.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 61 ip-api.com 2->61 63 discord.com 2->63 65 2 other IPs or domains 2->65 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 15 other signatures 2->97 9 resembleC2.exe 3 5 2->9         started        13 OpenWith.exe 18 9 2->13         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\MoonHub.exe, PE32 9->53 dropped 55 C:\Users\user\...\6z2guuz0ldkdgc1o.exe, PE32+ 9->55 dropped 57 C:\Users\user\AppData\Local\...\resemble.py, Python 9->57 dropped 59 C:\Users\user\AppData\...\resembleC2.exe.log, CSV 9->59 dropped 103 Found many strings related to Crypto-Wallets (likely being stolen) 9->103 15 MoonHub.exe 15 15 9->15         started        20 6z2guuz0ldkdgc1o.exe 2 9->20         started        signatures6 process7 dnsIp8 67 ip-api.com 208.95.112.1, 49709, 49947, 80 TUT-ASUS United States 15->67 69 discord.com 162.159.135.232, 443, 50018, 50020 CLOUDFLARENETUS United States 15->69 49 C:\ProgramData\Microsoft\...\gqnbO.scr, PE32 15->49 dropped 51 C:\Windows\System32\drivers\etc\hosts, ASCII 15->51 dropped 75 Antivirus detection for dropped file 15->75 77 Multi AV Scanner detection for dropped file 15->77 79 Suspicious powershell command line found 15->79 89 8 other signatures 15->89 22 powershell.exe 15->22         started        25 cmd.exe 15->25         started        27 WMIC.exe 1 15->27         started        29 9 other processes 15->29 71 0.tcp.eu.ngrok.io 18.153.198.123, 11057, 49704, 49708 AMAZON-02US United States 20->71 73 3.78.28.71, 11057, 50024, 50025 AMAZON-02US United States 20->73 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->81 83 Machine Learning detection for dropped file 20->83 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->85 87 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 20->87 file9 signatures10 process11 signatures12 99 Loading BitLocker PowerShell Module 22->99 31 conhost.exe 22->31         started        33 WmiPrvSE.exe 22->33         started        101 Uses ping.exe to check the status of other devices and networks 25->101 35 conhost.exe 25->35         started        37 PING.EXE 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        45 conhost.exe 29->45         started        47 6 other processes 29->47 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8/
Threat name:
Win32.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-01-12 05:11:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmp25ilvz3mshgvdrqe7oxhrzoskgmkgcjudcw3wzff3pr5exdma._file
Verdict:
malicious
Label(s):
umbral
Create hunting rule
Similar samples:
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
UmbralStealer
331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
UmbralStealer
366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
UmbralStealer
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
UmbralStealer
e200874f8b157dee0137b88d2773dd4666f56acd558a7bb453dbc72e95605b9c
UmbralStealer
error
UmbralStealer
+ 87 additional samples on MalwareBazaar
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:umbral discovery execution spyware stealer
Link:
https://tria.ge/reports/250112-gw2d8askem/
Behaviour
Detects videocard installed
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Detect Umbral payload
Umbral
Umbral family
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e0b5758f-2b70-4bf7-89e0-719793ff7396
Unpacked files
SH256 hash:
8fd22c5acb3144dbaa5ab3f9dd5901eb6f3beef67e72ea431246c6a790c067de
MD5 hash:
f70b5e56a09af292d4e909c547f9c8c0
SHA1 hash:
577883bdbe8dc9582e15e7a1212b1fe432bafce3
Detections:
UmbralStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
MALWARE_Win_UmbralStealer
Create hunting rule
Link:
https://www.unpac.me/results/9aaabb48-470c-4bce-a74c-5c4c32eaf729/
SH256 hash:
85f5f5acb54c30efd4f84c0f11c834b7dab98c5bb7357bddcd29fbe5babc4db6
MD5 hash:
8c7d2f0a936dbe6d0899d40171ffb668
SHA1 hash:
0b22fcd904f3b0fa2555a32a2635423668fc4616
Link:
https://www.unpac.me/results/9aaabb48-470c-4bce-a74c-5c4c32eaf729/
SH256 hash:
331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
MD5 hash:
4c8044c83f60465eae3cc16d7c858085
SHA1 hash:
bc837ba36a8f244283483210215a11607f05fb63
Link:
https://www.unpac.me/results/9aaabb48-470c-4bce-a74c-5c4c32eaf729/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/331faea175ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/fc09f77d-17de-47b1-b352-79c81c80f880#

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments