General
-
Target
C11Bootstrapper.zip
-
Size
193KB
-
Sample
240419-zz2s9sgd5y
-
MD5
c0aa2729c58fca545c27521b4de2b97c
-
SHA1
a591b1e81f7158bcb346d7017edbf09abf9b01de
-
SHA256
38264c8656ce4163c7d1cf3014863dc7398227df662b90a30c6342d6f45bb5a6
-
SHA512
b40fc38c500a24ccacc6f9e67422398d3c3ffb6da33edda7fa37a7a29e8937b6017d29bb3c34fd27f4e981eed6a38e0bfeeb678b91b9f4ea7d589d8c23c56a52
-
SSDEEP
6144:BA3cXkEnu8vjKbnU9tWCnHGXf3fgDm+HuT:BAMXkr8IUjmXfPgDm+OT
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
chhphkahmfnasuyziqc
-
delay
1
-
install
false
-
install_folder
%Temp%
Extracted
umbral
https://discord.com/api/webhooks/1210158511317590106/v9w3kiFGxTmHnaLb091GZCxjv8fdr5efj0qIDNAgPdpreNR5UKL8WQl7YxoqctUCkOnB
Extracted
njrat
0.7d
Team TIB's Victim
127.0.0.1:4040
9d2e440703ae716f1154fa98bacb513a
-
reg_key
9d2e440703ae716f1154fa98bacb513a
-
splitter
Y262SUCZ4UJJ
Targets
-
-
Target
C11Bootstrapper/Properties/GuiLoader.exe
-
Size
246KB
-
MD5
1bb249792e56063762f5adb2d94fc8c9
-
SHA1
9a1fa4886ed023f864c06345b639a121f6359cd1
-
SHA256
f61483bd59316dff21d5bc3fc8f32811dd8ddca826a84255ab5ea2cdfef3d7ae
-
SHA512
d8a2af35713bf4ce979440375c460b9f7b3f2849abc9cdf0d2fdb5e891a5bab36ed101da94f6b57d3dc775c3a0fdeffbaeab8981965ec72fe56adfa5dab501ba
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4kgOZGCg/7I7R0STTKvYb8e1mZzi:joZtL+EP8kgOZGCg/7I7R0STTKIX
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
C11Bootstrapper/Properties/IndependenciesInstallation.bat
-
Size
489B
-
MD5
d8da01fb6f6288b044868f85228cbb10
-
SHA1
9d08c813ce59ab863c6ec3c68c336eed265c5e8a
-
SHA256
74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
-
SHA512
c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
C11Bootstrapper/Properties/PageEditor.exe
-
Size
31KB
-
MD5
562ecb03ac667bc785b4a9ecc3930e00
-
SHA1
7aabba8964d3682dfc29342b57dcf5ec5a4175f9
-
SHA256
a8ae08cf54ebef47f9c19167ea989cfc6fa4536124d53bd79cd8a19063c98c0b
-
SHA512
566f622b4a623c49cf9945e2f0b42dd07678084b7fb78d1f81b8e5190c7f68298ff0e6bd2cac5a0c745c3614ecf7370161370910c228eea410ebacc2afe57cf5
-
SSDEEP
768:/zCBqdzNB0zx/6Lgnm3eXdvCTQmIDUu0tifej:K6KzpUQVkPj
Score10/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
C11Bootstrapper/Start.bat
-
Size
1KB
-
MD5
4e3179e79f11708b60c3af67718cc0ae
-
SHA1
e22536c444427ce73dcc50091c28477c44e23210
-
SHA256
6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d
-
SHA512
aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1
-
Detect Umbral payload
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1