Overview

overview

10

Static

static

10

C11Bootstr...er.exe

windows11-21h2-x64

10

C11Bootstr...on.bat

windows11-21h2-x64

10

C11Bootstr...or.exe

windows11-21h2-x64

10

C11Bootstr...rt.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C11Bootstrapper.zip

  • Size

    193KB

  • Sample

    240419-zz2s9sgd5y

  • MD5

    c0aa2729c58fca545c27521b4de2b97c

  • SHA1

    a591b1e81f7158bcb346d7017edbf09abf9b01de

  • SHA256

    38264c8656ce4163c7d1cf3014863dc7398227df662b90a30c6342d6f45bb5a6

  • SHA512

    b40fc38c500a24ccacc6f9e67422398d3c3ffb6da33edda7fa37a7a29e8937b6017d29bb3c34fd27f4e981eed6a38e0bfeeb678b91b9f4ea7d589d8c23c56a52

  • SSDEEP

    6144:BA3cXkEnu8vjKbnU9tWCnHGXf3fgDm+HuT:BAMXkr8IUjmXfPgDm+OT

Score
10/10
asyncratnjratumbraldefaultteam tib's victimevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

Mutex

chhphkahmfnasuyziqc

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %Temp%

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1210158511317590106/v9w3kiFGxTmHnaLb091GZCxjv8fdr5efj0qIDNAgPdpreNR5UKL8WQl7YxoqctUCkOnB

Extracted

Family

njrat

Version

0.7d

Botnet

Team TIB's Victim

C2

127.0.0.1:4040

Mutex

9d2e440703ae716f1154fa98bacb513a

Attributes
  • reg_key

    9d2e440703ae716f1154fa98bacb513a

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      C11Bootstrapper/Properties/GuiLoader.exe

    • Size

      246KB

    • MD5

      1bb249792e56063762f5adb2d94fc8c9

    • SHA1

      9a1fa4886ed023f864c06345b639a121f6359cd1

    • SHA256

      f61483bd59316dff21d5bc3fc8f32811dd8ddca826a84255ab5ea2cdfef3d7ae

    • SHA512

      d8a2af35713bf4ce979440375c460b9f7b3f2849abc9cdf0d2fdb5e891a5bab36ed101da94f6b57d3dc775c3a0fdeffbaeab8981965ec72fe56adfa5dab501ba

    • SSDEEP

      6144:RloZM+rIkd8g+EtXHkv/iD4kgOZGCg/7I7R0STTKvYb8e1mZzi:joZtL+EP8kgOZGCg/7I7R0STTKIX

    Score
    10/10
    umbralspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      C11Bootstrapper/Properties/IndependenciesInstallation.bat

    • Size

      489B

    • MD5

      d8da01fb6f6288b044868f85228cbb10

    • SHA1

      9d08c813ce59ab863c6ec3c68c336eed265c5e8a

    • SHA256

      74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de

    • SHA512

      c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e

    Score
    10/10
    asyncratnjratumbraldefaultevasionpersistenceratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      C11Bootstrapper/Properties/PageEditor.exe

    • Size

      31KB

    • MD5

      562ecb03ac667bc785b4a9ecc3930e00

    • SHA1

      7aabba8964d3682dfc29342b57dcf5ec5a4175f9

    • SHA256

      a8ae08cf54ebef47f9c19167ea989cfc6fa4536124d53bd79cd8a19063c98c0b

    • SHA512

      566f622b4a623c49cf9945e2f0b42dd07678084b7fb78d1f81b8e5190c7f68298ff0e6bd2cac5a0c745c3614ecf7370161370910c228eea410ebacc2afe57cf5

    • SSDEEP

      768:/zCBqdzNB0zx/6Lgnm3eXdvCTQmIDUu0tifej:K6KzpUQVkPj

    Score
    10/10
    njratevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      C11Bootstrapper/Start.bat

    • Size

      1KB

    • MD5

      4e3179e79f11708b60c3af67718cc0ae

    • SHA1

      e22536c444427ce73dcc50091c28477c44e23210

    • SHA256

      6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d

    • SHA512

      aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1

    Score
    10/10
    asyncratnjratumbraldefaultevasionpersistenceratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

3
T1562.004

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

6
T1082

Remote System Discovery

3
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Resource Development

Reconnaissance

Tasks