General
-
Target
C11Bootstrapper.zip
-
Size
214KB
-
Sample
240419-za94caeg77
-
MD5
554a6628d2a45997875764e432152e6e
-
SHA1
2ffcfba2654c6c6e3ffe267da5dd47e661cfdb5c
-
SHA256
60250d1395011fa3fafae608a46d70882fc4e1ad13b7146eed27d49344edb554
-
SHA512
f028158395ec4b648665fa200089d9005f539bd6dcf95946bb08d2a20dae0c731a24ac738f76777a4df24943ded0b12652988904df2010f892b2308d9834e766
-
SSDEEP
6144:iA3cXkEnu8vjKbnU9tWCnHGXf3fgDmacEA48fHJk:iAMXkr8IUjmXfPgDmacEA4gpk
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/C11Setup.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
C11Bootstrapper/Properties/msgbox.vbs
Resource
win11-20240412-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
127.0.0.1:6555
127.0.0.1:0
127.0.0.1:4040
chhphkahmfnasuyziqc
-
delay
1
-
install
false
-
install_folder
%Temp%
Extracted
umbral
https://discord.com/api/webhooks/1210158511317590106/v9w3kiFGxTmHnaLb091GZCxjv8fdr5efj0qIDNAgPdpreNR5UKL8WQl7YxoqctUCkOnB
Targets
-
-
Target
C11Bootstrapper/Properties/C11Setup.exe
-
Size
252KB
-
MD5
c23a7c501e475f0065efdc9775890deb
-
SHA1
adc0d1bb12657bd6ca4354399cbfab7b9ad9cd45
-
SHA256
b57490326cb83aaf68d2ddfd95655b89387956100c5d09c8fcd4fa50e54fb5c4
-
SHA512
f6374e254a5ccad62549b235b4c66ef6164cfc34fd91d9ca545d44dce87c3d78984759e858d5eae796f8a096f91cf3fe5f0e1255660b00b1ece430e82af539c7
-
SSDEEP
3072:yURcxONo2PMVI+DdH1bsv8eOQbR7c2ytBcL5BdkwvTkmEdxkY:yEo2PMVPdVbSOkWwvqdK
-
-
-
Target
C11Bootstrapper/Properties/GuiLoader.exe
-
Size
246KB
-
MD5
1bb249792e56063762f5adb2d94fc8c9
-
SHA1
9a1fa4886ed023f864c06345b639a121f6359cd1
-
SHA256
f61483bd59316dff21d5bc3fc8f32811dd8ddca826a84255ab5ea2cdfef3d7ae
-
SHA512
d8a2af35713bf4ce979440375c460b9f7b3f2849abc9cdf0d2fdb5e891a5bab36ed101da94f6b57d3dc775c3a0fdeffbaeab8981965ec72fe56adfa5dab501ba
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4kgOZGCg/7I7R0STTKvYb8e1mZzi:joZtL+EP8kgOZGCg/7I7R0STTKIX
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
C11Bootstrapper/Properties/IndependenciesInstallation.bat
-
Size
489B
-
MD5
d8da01fb6f6288b044868f85228cbb10
-
SHA1
9d08c813ce59ab863c6ec3c68c336eed265c5e8a
-
SHA256
74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
-
SHA512
c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
C11Bootstrapper/Properties/PageEditor.exe
-
Size
74KB
-
MD5
442510aa0ce41f62d8c30c76a1d1f96f
-
SHA1
9d5dec9eba0d5d32750b9c891ce4697893883a1e
-
SHA256
27f935d3417a40c871572f8bdfe5168b8caa1dc603dd6d4cf466d2a943a73083
-
SHA512
25f20691094c9c0d5fd868a04451039407c442d05e8c43659465fe36d24ba618d1912296f57ce3ae64a168e03809716c2d95376a90acf561c12035254efb2d62
-
SSDEEP
1536:jU9kcx5v/5CxSPMV7jCBevPIaH1b8/vuytQzc51VclN:jU2cx5vx2SPMV3CCrH1b83uAQsXY
-
-
-
Target
C11Bootstrapper/Properties/msgbox.vbs
-
Size
96B
-
MD5
ef10af9d03259c1ff948292a02f686b0
-
SHA1
66e00f6e8827074757939faaca94764757bf35b7
-
SHA256
a60243608aebfe0cd20869cb1d8d62e937752ca0d8e45b09c1b474ae5f1a4b07
-
SHA512
2ffe2d8314699579912484f2149f876878b55618ab55aa6a3cf3cb99c761a9df77af5147e62b652458d3f9eb560a97fa8c07ec3d7faf559cae4f86633070f74d
Score1/10 -
-
-
Target
C11Bootstrapper/Start.bat
-
Size
1KB
-
MD5
4e3179e79f11708b60c3af67718cc0ae
-
SHA1
e22536c444427ce73dcc50091c28477c44e23210
-
SHA256
6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d
-
SHA512
aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-