General
-
Target
C11Bootstrapper.zip
-
Size
214KB
-
Sample
240419-zd5b9seh65
-
MD5
350fd482e9f472a09cba68aeb0020ddf
-
SHA1
7f31fbacd12e8a4fcd355c5cff97a2f2e67c4026
-
SHA256
d3e1c2f2dd8d4a80459df74eeb9a1d967f91ff3af3b106be6cd7a96dc319a062
-
SHA512
7af82aa1b373eb0d22d5289b4eddbfb1eddb2bda910a375c940ac1ca452b7e29e60224b44c143d9099be083cf72483448a865e41abb48928e0ec6567e9a7db6f
-
SSDEEP
6144:NA3cXkEnu8vjKbnU9tWCnHGXf3fgDmzV4e42H6D:NAMXkr8IUjmXfPgDmzH42aD
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/C11Setup.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
C11Bootstrapper/Properties/msgbox.vbs
Resource
win11-20240412-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
127.0.0.1:4040
chhphkahmfnasuyziqc
-
delay
1
-
install
false
-
install_folder
%Temp%
Extracted
umbral
https://discord.com/api/webhooks/1210158511317590106/v9w3kiFGxTmHnaLb091GZCxjv8fdr5efj0qIDNAgPdpreNR5UKL8WQl7YxoqctUCkOnB
Targets
-
-
Target
C11Bootstrapper/Properties/C11Setup.exe
-
Size
252KB
-
MD5
c23a7c501e475f0065efdc9775890deb
-
SHA1
adc0d1bb12657bd6ca4354399cbfab7b9ad9cd45
-
SHA256
b57490326cb83aaf68d2ddfd95655b89387956100c5d09c8fcd4fa50e54fb5c4
-
SHA512
f6374e254a5ccad62549b235b4c66ef6164cfc34fd91d9ca545d44dce87c3d78984759e858d5eae796f8a096f91cf3fe5f0e1255660b00b1ece430e82af539c7
-
SSDEEP
3072:yURcxONo2PMVI+DdH1bsv8eOQbR7c2ytBcL5BdkwvTkmEdxkY:yEo2PMVPdVbSOkWwvqdK
-
-
-
Target
C11Bootstrapper/Properties/GuiLoader.exe
-
Size
246KB
-
MD5
1bb249792e56063762f5adb2d94fc8c9
-
SHA1
9a1fa4886ed023f864c06345b639a121f6359cd1
-
SHA256
f61483bd59316dff21d5bc3fc8f32811dd8ddca826a84255ab5ea2cdfef3d7ae
-
SHA512
d8a2af35713bf4ce979440375c460b9f7b3f2849abc9cdf0d2fdb5e891a5bab36ed101da94f6b57d3dc775c3a0fdeffbaeab8981965ec72fe56adfa5dab501ba
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4kgOZGCg/7I7R0STTKvYb8e1mZzi:joZtL+EP8kgOZGCg/7I7R0STTKIX
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
C11Bootstrapper/Properties/IndependenciesInstallation.bat
-
Size
489B
-
MD5
d8da01fb6f6288b044868f85228cbb10
-
SHA1
9d08c813ce59ab863c6ec3c68c336eed265c5e8a
-
SHA256
74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
-
SHA512
c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
C11Bootstrapper/Properties/PageEditor.exe
-
Size
74KB
-
MD5
a419717ff743b0f11fdde27177617cb5
-
SHA1
38e6575ad65c4cdf3301c22ff6d827e11436006f
-
SHA256
41adf4e4e460a3119ad27d5874f7ea6e09781eb91e33d90e4a5faeeaadee8300
-
SHA512
0f9a00f3d5027e6aa5636d2564db89787cc83224aa83c771822655a057fffe2f2e642c98ca9ff603ed3be4ea655d5c02c8a28161895036e80284d009ddf9b1d6
-
SSDEEP
1536:gUYkcx9pXCTyPMVXjCBevPIaH1b8/uDaQzcp1VclN:gU1cx958yPMVzCCrH1b8BQ8XY
-
-
-
Target
C11Bootstrapper/Properties/msgbox.vbs
-
Size
96B
-
MD5
ef10af9d03259c1ff948292a02f686b0
-
SHA1
66e00f6e8827074757939faaca94764757bf35b7
-
SHA256
a60243608aebfe0cd20869cb1d8d62e937752ca0d8e45b09c1b474ae5f1a4b07
-
SHA512
2ffe2d8314699579912484f2149f876878b55618ab55aa6a3cf3cb99c761a9df77af5147e62b652458d3f9eb560a97fa8c07ec3d7faf559cae4f86633070f74d
Score1/10 -
-
-
Target
C11Bootstrapper/Start.bat
-
Size
1KB
-
MD5
4e3179e79f11708b60c3af67718cc0ae
-
SHA1
e22536c444427ce73dcc50091c28477c44e23210
-
SHA256
6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d
-
SHA512
aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-