Overview

overview

10

Static

static

10

C11Bootstr...up.exe

windows11-21h2-x64

10

C11Bootstr...er.exe

windows11-21h2-x64

10

C11Bootstr...on.bat

windows11-21h2-x64

10

C11Bootstr...or.exe

windows11-21h2-x64

10

C11Bootstr...ox.vbs

windows11-21h2-x64

1

C11Bootstr...rt.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C11Bootstrapper.zip

  • Size

    214KB

  • Sample

    240419-y4b8qsee42

  • MD5

    f2a3127167527858f3df2856faf175a1

  • SHA1

    f65ae05fbadc1230d4d4511523c1220bd066a251

  • SHA256

    b5b756ca3f6097116ccd6b5b284bc7c0ace10a5842a70ce96ebefde62b687f49

  • SHA512

    e5f3dcd5cc45fe0e6e285d1c74702f4369113b07dfa2be383e61cc98b38715562b542d4ecfcadfafabdeddf5c20794085e0f17f9e3b209381c985f6b99cc3683

  • SSDEEP

    6144:LA3cXkEnu8vjKbnU9tWCnHGXf3fgDmRyno8wIzHgo:LAMXkr8IUjmXfPgDmRyno8wIzAo

Score
10/10
asyncratumbraldefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

127.0.0.1:6555

127.0.0.1:0

127.0.0.1:4040
Mutex

chhphkahmfnasuyziqc

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %Temp%

aes.plain
aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1210158511317590106/v9w3kiFGxTmHnaLb091GZCxjv8fdr5efj0qIDNAgPdpreNR5UKL8WQl7YxoqctUCkOnB

Targets

    • Target

      C11Bootstrapper/Properties/C11Setup.exe

    • Size

      252KB

    • MD5

      c23a7c501e475f0065efdc9775890deb

    • SHA1

      adc0d1bb12657bd6ca4354399cbfab7b9ad9cd45

    • SHA256

      b57490326cb83aaf68d2ddfd95655b89387956100c5d09c8fcd4fa50e54fb5c4

    • SHA512

      f6374e254a5ccad62549b235b4c66ef6164cfc34fd91d9ca545d44dce87c3d78984759e858d5eae796f8a096f91cf3fe5f0e1255660b00b1ece430e82af539c7

    • SSDEEP

      3072:yURcxONo2PMVI+DdH1bsv8eOQbR7c2ytBcL5BdkwvTkmEdxkY:yEo2PMVPdVbSOkWwvqdK

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat
    behavioral1

    • Target

      C11Bootstrapper/Properties/GuiLoader.exe

    • Size

      246KB

    • MD5

      1bb249792e56063762f5adb2d94fc8c9

    • SHA1

      9a1fa4886ed023f864c06345b639a121f6359cd1

    • SHA256

      f61483bd59316dff21d5bc3fc8f32811dd8ddca826a84255ab5ea2cdfef3d7ae

    • SHA512

      d8a2af35713bf4ce979440375c460b9f7b3f2849abc9cdf0d2fdb5e891a5bab36ed101da94f6b57d3dc775c3a0fdeffbaeab8981965ec72fe56adfa5dab501ba

    • SSDEEP

      6144:RloZM+rIkd8g+EtXHkv/iD4kgOZGCg/7I7R0STTKvYb8e1mZzi:joZtL+EP8kgOZGCg/7I7R0STTKIX

    Score
    10/10
    umbralspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      C11Bootstrapper/Properties/IndependenciesInstallation.bat

    • Size

      489B

    • MD5

      d8da01fb6f6288b044868f85228cbb10

    • SHA1

      9d08c813ce59ab863c6ec3c68c336eed265c5e8a

    • SHA256

      74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de

    • SHA512

      c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e

    Score
    10/10
    asyncratumbraldefaultratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Drops file in Drivers directory

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      C11Bootstrapper/Properties/PageEditor.exe

    • Size

      74KB

    • MD5

      a9059aabce80a9bd86ea74d01d953a06

    • SHA1

      6337cfb59de03c4db547a055629aeebaee7c0e3c

    • SHA256

      8b00d36214879581fef1186bfa9f49b162a59361316ea8cfae52bd799aa4cab9

    • SHA512

      1373adc5d7ec32bd0db3cb0d3a6bf03aec41aba7a8107ce0e5463ae877c0e27f59c0a44e770bac10c0ac063f27c861225538a05bf5b5b87dbbefe78a4f66f4a8

    • SSDEEP

      1536:gUgUcxoyR1CriPMVTjCBevPIaH1b8/U3kMQzcmGVclN:gU9cxoyXkiPMV/CCrH1b8UkMQvcY

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat
    behavioral4

    • Target

      C11Bootstrapper/Properties/msgbox.vbs

    • Size

      96B

    • MD5

      ef10af9d03259c1ff948292a02f686b0

    • SHA1

      66e00f6e8827074757939faaca94764757bf35b7

    • SHA256

      a60243608aebfe0cd20869cb1d8d62e937752ca0d8e45b09c1b474ae5f1a4b07

    • SHA512

      2ffe2d8314699579912484f2149f876878b55618ab55aa6a3cf3cb99c761a9df77af5147e62b652458d3f9eb560a97fa8c07ec3d7faf559cae4f86633070f74d

    Score
    1/10
    behavioral5

    • Target

      C11Bootstrapper/Start.bat

    • Size

      1KB

    • MD5

      4e3179e79f11708b60c3af67718cc0ae

    • SHA1

      e22536c444427ce73dcc50091c28477c44e23210

    • SHA256

      6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d

    • SHA512

      aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1

    Score
    10/10
    asyncratumbraldefaultratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Drops file in Drivers directory

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral6

MITRE ATT&CK Enterprise v15

Tasks