PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 228,00 KB SHA-256 Hash: 7931A3B775D8ABF1A12FC66FF74EEF70A35099DACB7E58B019BBDAD80DF01305 SHA-1 Hash: 1B2A57CDE6D43E0BCC884684ECD33A93ACB1D703 MD5 Hash: 9BC8CE31CA827331F6F4E1E3E3284F8A Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 3A5DE SizeOfHeaders: 200 SizeOfImage: 40000 ImageBase: 400000 Architecture: x86 ImportTable: 3A58C IAT: 2000 Characteristics: 122 TimeDateStamp: 9C61056C Date: 19/02/2053 18:54:36 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 38600 | 2000 | 385E4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
38800 | 600 | 3C000 | 550 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
38E00 | 200 | 3E000 | C |
|
|
| Description |
| FileVersion: 1.0.0.0 ProductVersion: 1.0.0.0 Comments: Payload for Umbral Stealer Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 387DE Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000400000000000200 EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD AL, 0 |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD AL, BYTE PTR [EAX] |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[-] • Entropy: 6.03726 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| ADVAPI32.DLL | CryptDecrypt | Possible Call API By Name | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptEncrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| Windows REG (UNICODE) |
| SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER |
| File Access |
| Umbral.payload.exe mscoree.dll bcrypt.dll kernel32.dll .Umbral.payload.Sys /Umbral.payload.Sys Temp |
| File Access (UNICODE) |
| attrib.exe cmd.exe powershell.exe wmic.exe Source.txt alts.txt %Roblox Cookies.txt %Yandex Cookies.txt Vivaldi Cookies.txt -UR Browser Cookies.txt Slimjet Cookies.txt )Opera GX Cookies.txt Opera Cookies.txt Iridium Cookies.txt 1Epic Privacy Cookies.txt !Edge Cookies.txt 3Comodo Dragon Cookies.txt )Chromium Cookies.txt %Chrome Cookies.txt Brave Cookies.txt )Yandex Passwords.txt +Vivaldi Passwords.txt 1UR Browser Passwords.txt +Slimjet Passwords.txt -Opera GX Passwords.txt Opera Passwords.txt +Iridium Passwords.txt 5Epic Privacy Passwords.txt %Edge Passwords.txt 7Comodo Dragon Passwords.txt -Chromium Passwords.txt )Chrome Passwords.txt Brave Passwords.txt )Discord Accounts.txt Temp AppData UserProfile |
| Interest's Words |
| lockbit PADDINGX Stealer Encrypt Decrypt Encryption PassWord <form <main exec attrib start pause cipher systeminfo ping replace |
| Interest's Words (UNICODE) |
| Virus Stealer Encrypt Decrypt PassWord powershell attrib start pause wmic ping |
| Anti-VM/Sandbox/Debug Tricks (UNICODE) |
| LabTools - wireshark LabTools - taskmgr |
| URLs (UNICODE) |
| http://ip-api.com/json/?fields=225545 http://ip-api.com/line/?fields=hosting https://github.com/Blank-c/Umbral-Stealer https://gstatic.com/generate_204 https://discord.com/api/v10/users/@me https://discordapp.com/api/v9/users/@me/billing/payment-sources https://discord.com/api/v10/users/@me/outbound-promotions/codes |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Unicode | Encryption API (CryptDecrypt) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Unicode | Antivirus Software (emsisoft) |
| Text | Unicode | Antivirus Software (clamav) |
| Text | Ascii | Antivirus Software (comodo) |
| Text | Unicode | Antivirus Software (avira) |
| Text | Unicode | Antivirus Software (avast) |
| Text | Unicode | Antivirus Software (drweb) |
| Text | Unicode | Antivirus Software (panda) |
| Text | Unicode | Antivirus Software (sophos) |
| Text | Unicode | Antivirus Software (trendmicro) |
| Text | Unicode | Antivirus Software (defender) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Unicode | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Malware designed to steal sensitive information from a system (Stealer) |
| Text | Unicode | Malware designed to steal sensitive information from a system (Stealer) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\0 | 3C0A0 | 2C4 | 388A0 | C40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 3C364 | 1EA | 38B64 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 1.0.0.0 • virustotal.com • avast.com • totalav.com • scanguard.com • !totaladblock.com • pcprotect.com • mcafee.com • bitdefender.com • us.norton.com • avg.com • !malwarebytes.com • pandasecurity.com • avira.com • norton.com • eset.com • zillya.com • kaspersky.com • usa.kaspersky.com • sophos.com • home.sophos.com • adaware.com • bullguard.com • clamav.net • drweb.com • emsisoft.com • f-secure.com • zonealarm.com • trendmicro.com • ccleaner.com • 0.0.0.0 www. • )Discord Accounts.txt • 'Brave Passwords.txt • )Chrome Passwords.txt • -Chromium Passwords.txt • 7Comodo Dragon Passwords.txt • %Edge Passwords.txt • 5Epic Privacy Passwords.txt • +Iridium Passwords.txt • 'Opera Passwords.txt • -Opera GX Passwords.txt • +Slimjet Passwords.txt • 1UR Browser Passwords.txt • +Vivaldi Passwords.txt • )Yandex Passwords.txt • Brave Cookies.txt • %Chrome Cookies.txt • )Chromium Cookies.txt • 3Comodo Dragon Cookies.txt • !Edge Cookies.txt • 1Epic Privacy Cookies.txt • 'Iridium Cookies.txt • Opera Cookies.txt • )Opera GX Cookies.txt • 'Slimjet Cookies.txt • -UR Browser Cookies.txt • 'Vivaldi Cookies.txt • %Yandex Cookies.txt • %Roblox Cookies.txt • wmic.exe • powershell.exe • http://ip-api.com/json/?fields=225545 • https://github.com/Blank-c/Umbral-Stealer • Y | https://github.com/Blank-c/Umbral-Stealer • .zip • accounts.nbt • alts.txt • Source.txt • .scr • https://gstatic.com/generate_204 • .png • runas • cmd.exe • E/c ping localhost && del /F /A h " • attrib.exe • https://discord.com/api/v10/users/@me • https://discordapp.com/api/v9/users/@me/billing/payment-sources • https://discord.com/api/v10/users/@me/outbound-promotions/codes • .log • .ldb • Login Data • logins • http://ip-api.com/line/?fields=hosting • dumpcap • ksdumperclient • ksdumper • _CorExeMainmscoree.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1D898 | 28560006 | .text | JMP [static] | Indirect jump to absolute memory address |
| 243A2 | 2C10CE1 | .text | JMP [static] | Indirect jump to absolute memory address |
| 387DE | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 137155 | 58,7458% |
| Null Byte Code | 57057 | 24,4385% |
© 2026 All rights reserved.