MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

UmbralStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
SHA3-384 hash:	98659334b24a7d5547927539c9d17f3ccbaf3b891058350fc14fc5d69dfac48c7c69bdfd560aae69f797cef6bb5211a5
SHA1 hash:	e80841a355b8dce9955b9bbba63f02a4ad31a836
MD5 hash:	7f32dcbb00de079c31ff7895ae9c0560
humanhash:	sink-eighteen-sierra-oklahoma
File name:	l0xmdpqk.ylw.bin
Download:	download sample
Signature	UmbralStealer Create hunting rule
File size:	232'448 bytes
First seen:	2024-04-27 22:13:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep	6144:bloZM+9EB1/SqctonEPfCqAu0+prdmK13Up7a6rhgj8e1m5l:5oZQdSqcwvu0+prdmK13Up7a6rhQM
TLSH	T1BA346C5833B88F17E26F8BBDD5B1149F87B1F143E90AF78E0C8895E82421742E949E57
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	Reedus0
Tags:	exe spyware UmbralStealer

Intelligence

File Origin

# of uploads :

# of downloads :

531

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8.exe

Verdict:

Malicious activity

Analysis date:

2024-04-27 22:14:22 UTC

Tags:

evasion umbralstealer stealer discord exfiltration

Link:

https://app.any.run/tasks/51231c7c-7308-41e7-a988-d80989d09049

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Launching a process

Sending an HTTP GET request

Enabling the 'hidden' option for analyzed file

Creating a file

Creating a window

Creating a file in the %temp% subdirectories

Adding an exclusion to Microsoft Defender

Changing the hosts file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

89%

Tags:

anti-vm anti-vm cmd fingerprint hacktool lolbin masquerade rat wmic

Link:

https://www.filescan.io/uploads/662d78acd2fc149e4122fe1c/reports/2e1301c7-844d-4754-9e7f-1f975fac8275/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sharp Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0094f2e1-d1f4-4311-a32d-4a64bbfd3839

Result

Threat name:

Blank Grabber, Umbral Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1432694

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Blank Grabber

Yara detected Umbral Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f/

Threat name:

ByteCode-MSIL.Trojan.UmbralStealer

Status:

Malicious

First seen:

2024-04-27 22:14:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kzmpilldglmzqj6xoktrbv2osbpyeljd5fmmq34affz4ft76quhq._file

Verdict:

malicious

Result

Malware family:

umbral

Score:

10/10

Tags:

family:umbral spyware stealer

Link:

https://tria.ge/reports/240427-15m3qsaa31/

Behaviour

Detects videocard installed

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Reads user/profile data of web browsers

Drops file in Drivers directory

Detect Umbral payload

Umbral

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1230863499496783923/A02kDLEw6wbN8ixBXQtfYqly_yrSOMARWe64V1_a5LlUVAnlyyQj7Axye820VBzQV8HJ

Unpacked files

SH256 hash:

5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

MD5 hash:

7f32dcbb00de079c31ff7895ae9c0560

SHA1 hash:

e80841a355b8dce9955b9bbba63f02a4ad31a836

Detections:

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Link:

https://www.unpac.me/results/d648a67c-a66d-4ced-b94e-d1777dab5f2d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5658f42d6332/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM names

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox system UUIDs

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MALWARE_Win_UmbralStealer Create hunting rule
Author:	ditekShen
Description:	Detects Umbral infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

UmbralStealer

exe ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8

UmbralStealer

exe 5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

(this sample)

Dropped by

SHA256 ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8

Delivery method

Distributed via web download

Dropped by

MD5 9e511d399fbc2bf0c2d45302dc62be61

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample