General

  • Target

    C37Bootstrapper.exe

  • Size

    407KB

  • Sample

    240605-wjjqzade4y

  • MD5

    2a25b9d935c4fe0a9f85251ecabfd923

  • SHA1

    bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2

  • SHA256

    b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498

  • SHA512

    08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf

  • SSDEEP

    6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1240608431912648746/0xO8j0CKqDNLBbrrGwB4Di4ZwKK6d-HUusc2YnRBbbd4ysQkmEvxp1Nbx9O5yHNNZk95

Targets

    • Target

      C37Bootstrapper.exe

    • Size

      407KB

    • MD5

      2a25b9d935c4fe0a9f85251ecabfd923

    • SHA1

      bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2

    • SHA256

      b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498

    • SHA512

      08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf

    • SSDEEP

      6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks