umbral | 73207e68fd2611a51968b6903020cedf7d6c07eeb7e8570de6ac533d93d31e25 | Triage

Submit
Reports

Overview

overview

Static

static

C37boot/C3...er.exe

windows10-2004-x64

C37boot/C3...er.exe

windows11-21h2-x64

Sharing

General

Target

C37boot.zip
Size

138KB
Sample

240605-tp5jhsbg2s
MD5

823806e44f19c682c6de359fa332c452
SHA1

78ca243e9b4690c2c82bc75456087a1f82d803b7
SHA256

73207e68fd2611a51968b6903020cedf7d6c07eeb7e8570de6ac533d93d31e25
SHA512

319d0bb0b65e45f68c9d2de005178211878286eb978f644af9955e50193ce5d7e09f5686da0bbd125a3f9f8e4f074901d7ee6fbdbf904bdb810c752280f81cca
SSDEEP

3072:ls5OiL2k7hkVitM5ca5v6Si5in/bSlJpsxZ/TGyDlz:ls5J2Rtmm6tiOsrTb5

Score

10^/10

umbral execution spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

C37boot/C37Bootstrapper.exe

Resource

win10v2004-20240426-en

umbral execution spyware stealer

windows10-2004-x64

13 signatures

1800 seconds

Behavioral task

behavioral2

Sample

C37boot/C37Bootstrapper.exe

Resource

win11-20240426-en

umbral execution spyware stealer

windows11-21h2-x64

13 signatures

1800 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1247939114515431576/-I9y34Eg1J2F4FolssK-68gxrpNUiziMBe1Dq5-AXRXx_G_XjzHxBj25MXS-XoZvwnV0

Targets

- Target
  
  C37boot/C37Bootstrapper.exe
- Size
  
  405KB
- MD5
  
  c8294556e29920bfcc619529da141096
- SHA1
  
  7dad1b482c1d3baeade911400027e615e2ea52ff
- SHA256
  
  26deb9a0264cccfdef387610235e9e9032144c8e73561c3d0007c248a6c84dc3
- SHA512
  
  1ac29a6ecdf761d85d3b1b64910f7edd865238d1d6b159532efb8260fa9af35c7db06892359ba9efe7bd571ec2bd259a0621721666fd5b085e92f68848f63af6
- SSDEEP
  
  6144:nloZM+rIkd8g+EtXHkv/iD4w85EFzQEb3CzFQMpFlb8e1mBiEqkRH:loZtL+EP8w85EFzQEb3CzFQMpfvEJ
Score

10^/10

umbral execution spyware stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

umbralexecutionspywarestealer

behavioral2

umbralexecutionspywarestealer

© 2018-2024

Terms | Privacy