MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


UmbralStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc
SHA3-384 hash: c098aa0474e4cb870adc0f984144ac3edeaaac1682a4b09f8cf03f306bf658d98cebd63df5938115bfff1c95f58581c1
SHA1 hash: 5ed8cecacc5e6165d43ee91787f72846d2e8ad01
MD5 hash: 31f61e9c68256b4cc089b3703c0e2039
humanhash: romeo-may-gee-social
File name:spglr64.exe
Download: download sample
Signature UmbralStealer
Create hunting rule
File size:1'528'682 bytes
First seen:2024-08-27 22:24:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 24576:yuDXTIGaPhEYzUzA0bOvbKAO1WMbkiSfLAo9Ffze20S4OIsAMWlXl9h2DvpfsTCu:1Djlabwz9Sv61kiQKvS4OUMI4hfaD
TLSH T1F965020EE7A809F8D0B7E538D9479902F3797C4913619BCF13A5526A1F277A0DE3A321
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter adm1n_usa32
Tags:64 DCRat exe UmbralStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
spglr64.exe
Verdict:
Malicious activity
Analysis date:
2024-08-27 22:23:34 UTC
Tags:
evasion rat dcrat remote darkcrystal stealer netreactor wmi-base64 api-base64
Link:
https://app.any.run/tasks/6a5136ad-4f5d-4da8-9688-e45006e7a942

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Bladabindi-10017056-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ce5240fe69a9e560499b1b
Tags:
Discovery Encryption Execution Generic Network Other Static Stealth Trojan Runner
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Launching many processes
Creating a file in the %temp% directory
Sending a UDP request
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Enabling autorun
Changing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
anti-vm anti-vm cmd fingerprint fingerprint installer lolbin microsoft_visual_cc overlay packed rat setupapi sfx shdocvw shell32 wmic
Link:
https://www.filescan.io/uploads/66ce5242eb26ed7f73c530aa/reports/1064a4f6-39e4-4b74-81f5-cadc06e75293/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8c619144-acd8-4c77-84de-509b412c984d
Result
Threat name:
Blank Grabber, DCRat, Umbral Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1500153
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Blank Grabber
Yara detected DCRat
Yara detected Generic Downloader
Yara detected Umbral Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500153 Sample: spglr64.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 84 ip-api.com 2->84 86 discord.com 2->86 88 cw67355.tw1.ru 2->88 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 18 other signatures 2->112 11 spglr64.exe 7 2->11         started        15 xUfEpQMuHVIdtYMtGVnpQQ.exe 2->15         started        17 xUfEpQMuHVIdtYMtGVnpQQ.exe 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 80 C:\Users\user\Desktop\stealqqgwrffs.exe, PE32 11->80 dropped 82 C:\Users\user\Desktop\ratgergedrghi.exe, PE32 11->82 dropped 130 Found many strings related to Crypto-Wallets (likely being stolen) 11->130 22 ratgergedrghi.exe 3 6 11->22         started        26 stealqqgwrffs.exe 15 15 11->26         started        132 Multi AV Scanner detection for dropped file 15->132 134 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->134 90 127.0.0.1 unknown unknown 19->90 file6 signatures7 process8 dnsIp9 72 C:\...\Surrogatereviewsession.exe, PE32 22->72 dropped 74 C:\...\Xt9KI1krEJFJGvttvIkhdsOgzo3.vbe, data 22->74 dropped 114 Antivirus detection for dropped file 22->114 116 Multi AV Scanner detection for dropped file 22->116 118 Machine Learning detection for dropped file 22->118 29 wscript.exe 1 22->29         started        94 ip-api.com 208.95.112.1, 49706, 49717, 80 TUT-ASUS United States 26->94 96 discord.com 162.159.136.232, 443, 49719, 49720 CLOUDFLARENETUS United States 26->96 76 C:\ProgramData\Microsoft\...\eRevR.scr, PE32 26->76 dropped 78 C:\Windows\System32\drivers\etc\hosts, ASCII 26->78 dropped 120 Found many strings related to Crypto-Wallets (likely being stolen) 26->120 122 Drops PE files with a suspicious file extension 26->122 124 Drops PE files to the startup folder 26->124 126 4 other signatures 26->126 32 powershell.exe 23 26->32         started        34 WMIC.exe 1 26->34         started        36 attrib.exe 1 26->36         started        38 Conhost.exe 26->38         started        file10 signatures11 process12 signatures13 136 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->136 40 cmd.exe 29->40         started        138 Loading BitLocker PowerShell Module 32->138 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        process14 process15 48 Surrogatereviewsession.exe 40->48         started        52 conhost.exe 40->52         started        file16 64 C:\Windows\...\xUfEpQMuHVIdtYMtGVnpQQ.exe, PE32 48->64 dropped 66 C:\Windows\Fonts\xUfEpQMuHVIdtYMtGVnpQQ.exe, PE32 48->66 dropped 68 C:\Recovery\xUfEpQMuHVIdtYMtGVnpQQ.exe, PE32 48->68 dropped 70 3 other malicious files 48->70 dropped 98 Antivirus detection for dropped file 48->98 100 Multi AV Scanner detection for dropped file 48->100 102 Creates an undocumented autostart registry key 48->102 104 8 other signatures 48->104 54 xUfEpQMuHVIdtYMtGVnpQQ.exe 48->54         started        58 schtasks.exe 48->58         started        60 schtasks.exe 48->60         started        62 17 other processes 48->62 signatures17 process18 dnsIp19 92 cw67355.tw1.ru 185.114.247.170, 49711, 49713, 49716 TIMEWEB-ASRU Russian Federation 54->92 128 Protects its processes via BreakOnTermination flag 54->128 signatures20
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc/
Threat name:
ByteCode-MSIL.Trojan.UmbralStealer
Create hunting rule
Status:
Malicious
First seen:
2024-08-25 17:30:21 UTC
File Type:
PE+ (Exe)
Extracted files:
37
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rir6btf5eatygh7qowm7ao24cmsobahzifmyg5dn4kngy2vwsx6a._file
Verdict:
malicious
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:umbral credential_access discovery evasion execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240827-2bx7aawfpq/
Behaviour
Detects videocard installed
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Drops file in Drivers directory
Credentials from Password Stores: Credentials from Web Browsers
DCRat payload
DcRat
Detect Umbral payload
Modifies WinLogon for persistence
Process spawned unexpected child process
UAC bypass
Umbral
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/20f91caf-d358-41b4-b49a-e9fcef459791
Unpacked files
SH256 hash:
6d7b8c65737968c2ba34d5c64bf2427a49b7b4c74b3d558cf64814c97ba88cfb
MD5 hash:
260fd8b292d7acf337beab707e84604c
SHA1 hash:
1133c94c57883f8c5624837d51fb88ef220fab06
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ea39e84d-93c9-48e2-8355-c6cc523e5813/
Parent samples :
8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc
6d7b8c65737968c2ba34d5c64bf2427a49b7b4c74b3d558cf64814c97ba88cfb
SH256 hash:
253b05b6848e8a312b0a622d62d370d6dedf59f24fb52fca803234977880649b
MD5 hash:
96ee12b0a9e8e1f0b0f85da1b482fdcb
SHA1 hash:
28711afb99a8397ebf5a6cb629e3e20465c0fdfa
Detections:
UmbralStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
MALWARE_Win_UmbralStealer
Create hunting rule
Link:
https://www.unpac.me/results/ea39e84d-93c9-48e2-8355-c6cc523e5813/
SH256 hash:
359ede2f634418bc23101b414c0b35139c1dbacd9a6b5ff152f0733c4a9bd3d0
MD5 hash:
6227db1487700389df5e1bd5c29e16b6
SHA1 hash:
68795a61f653f7b63fa5e2ebbbe1bc97aed3242f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ea39e84d-93c9-48e2-8355-c6cc523e5813/
Parent samples :
8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc
6d7b8c65737968c2ba34d5c64bf2427a49b7b4c74b3d558cf64814c97ba88cfb
SH256 hash:
8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc
MD5 hash:
31f61e9c68256b4cc089b3703c0e2039
SHA1 hash:
5ed8cecacc5e6165d43ee91787f72846d2e8ad01
Link:
https://www.unpac.me/results/ea39e84d-93c9-48e2-8355-c6cc523e5813/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/6a5136ad-4f5d-4da8-9688-e45006e7a942

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments