File name:	void.exe
Full analysis:	https://app.any.run/tasks/59f0fc01-9e23-445a-8459-69ef5a1800b9
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 09, 2025, 20:00:06
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion umbralstealer stealer arch-doc discord exfiltration discordgrabber generic umbral ims-api
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	B95EBCF2AE71C29E2FAB45E455454F66
SHA1:	6D2B76CCA8A9F9B83652B570FDC56A2B39C1A3DA
SHA256:	26AB66EBBAEBD820BA8BE4DA58FE5D2403F29C254E6946354E128B4379B09EF6
SSDEEP:	49152:44O0CTev9R/rqokmOCdf4tv4O2zl+yEZyu:u0CTCHrQCKQvlLu

.exe	\|	Win32 Executable Delphi generic (37.4)
.scr	\|	Windows screen saver (34.5)
.exe	\|	Win32 Executable (generic) (11.9)
.exe	\|	Win16/32 Executable Delphi generic (5.4)
.exe	\|	Generic Win/DOS Executable (5.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	5120
InitializedDataSize:	1232384
UninitializedDataSize:	-
EntryPoint:	0x20cc
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6328) void.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6392) Source code.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Source code_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
448	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ixrr0gtx.3z2.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6328	void.exe	C:\Users\admin\AppData\Local\Temp\Source code.exe		executable
		MD5:1BD8C57A285B16031347D648DA8236DF	SHA256:3FC0488CAEFD731DE70F92C6FB7BC71DDAA9C95304692357A53681D9878E4FE2
448	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vt5atrsb.cir.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
448	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:4D6F17CB5B6BFA95DAF517CD04107008	SHA256:CA834CB182EE6029EE5BC8A0F86F71BA1BF0D12BC07500973E4C01516CC2AD2C
3436	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fc3bmbuc.uoq.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3436	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ws0h15x3.awd.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6940	Source code.exe	C:\Windows\System32\drivers\etc\hosts		text
		MD5:2992FEB95030E84DE4A6D2F432E17E5F	SHA256:5E9F7AAADDAD64848ADC44BD44DE1FFE3E69DFCCDEFF29B58067A7F313EABD2D
6940	Source code.exe	C:\Users\admin\AppData\Local\Temp\Ya2pMeV3qVEYzoA		binary
		MD5:91FF0DAC5DF86E798BFEF5E573536B08	SHA256:DE676BAE28A480011D3D012DB14BEF539324E62A841A9627863C689BEA168AF3
6940	Source code.exe	C:\Users\admin\AppData\Local\Temp\zBMgOiJB0E4hGMy\Browsers\Cookies\Edge Cookies.txt		text
		MD5:4D3711EB22E4DE4E18EE2798220A5624	SHA256:A069B6FDD04BD8EA474694DA6B3E268B4EDF17BFDE48F35EBAC7BB0F2C2A439D
5536	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l3fd0c5s.lwm.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6392	Source code.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
—	—	GET	204	142.250.185.99:443	https://gstatic.com/generate_204	unknown	—	—	—
6940	Source code.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
6940	Source code.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
—	—	POST	404	162.159.137.232:443	https://discord.com/api/webhooks/1326189868132470804/0PHWSyQSIa4FHLD7ongsl606LGHkxDinslZqvpEbR2nHgiv9NT-W3uGflUZv7ShrMLLF	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.135.232:443	https://discord.com/api/webhooks/1326189868132470804/0PHWSyQSIa4FHLD7ongsl606LGHkxDinslZqvpEbR2nHgiv9NT-W3uGflUZv7ShrMLLF	unknown	binary	45 b	whitelisted
—	—	GET	204	142.250.185.99:443	https://gstatic.com/generate_204	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.204.154:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6392	Source code.exe	216.58.206.67:443	gstatic.com	GOOGLE	US	whitelisted
2220	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6392	Source code.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	shared
6940	Source code.exe	216.58.206.67:443	gstatic.com	GOOGLE	US	whitelisted
6940	Source code.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	shared

Domain	IP	Reputation
www.bing.com	2.16.204.154 2.16.204.151 2.16.204.157 2.16.204.141 2.16.204.152 2.16.204.145 2.16.204.143 2.16.204.146	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.184.206	whitelisted
gstatic.com	216.58.206.67	whitelisted
ip-api.com	208.95.112.1	shared
discord.com	162.159.137.232 162.159.136.232 162.159.128.233 162.159.138.232 162.159.135.232	whitelisted
self.events.data.microsoft.com	20.189.173.6	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6392	Source code.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
6392	Source code.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6940	Source code.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6940	Source code.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
6940	Source code.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6940	Source code.exe	A Network Trojan was detected	STEALER [ANY.RUN] UmbralStealer Generic External IP Check
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6940	Source code.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

General Info

void.exe

B95EBCF2AE71C29E2FAB45E455454F66

6D2B76CCA8A9F9B83652B570FDC56A2B39C1A3DA

26AB66EBBAEBD820BA8BE4DA58FE5D2403F29C254E6946354E128B4379B09EF6

49152:44O0CTev9R/rqokmOCdf4tv4O2zl+yEZyu:u0CTCHrQCKQvlLu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Changes settings for checking scripts for malicious actions

Changes settings for real-time protection

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes Controlled Folder Access settings

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for protection against network attacks (IPS)

UMBRAL has been detected (YARA)

UMBRALSTEALER has been detected (YARA)

DISCORDGRABBER has been detected (YARA)

Create files in the Startup directory

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Starts CMD.EXE for self-deleting

UMBRALSTEALER has been detected (SURICATA)

Attempting to use instant messaging service

Stealers network behavior

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Uses WMIC.EXE to obtain Windows Installer data

Reads the date of Windows installation

Accesses product unique identifier via WMI (SCRIPT)

Application launched itself

Uses ATTRIB.EXE to modify file attributes

Checks for external IP

Script disables Windows Defender's real-time protection

Script disables Windows Defender's IPS

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Accesses operating system name via WMI (SCRIPT)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Starts CMD.EXE for commands execution

Possible usage of Discord/Telegram API has been detected (YARA)

Uses WMIC.EXE to obtain a list of video controllers

The process connected to a server suspected of theft

Accesses video controller name via WMI (SCRIPT)

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

The sample compiled with english language support

Create files in a temporary directory

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Disables trace logs

Reads Environment values

Reads the software policy settings

The process uses the downloaded file

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Attempting to use instant messaging service

Manual execution by a user

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules