General
-
Target
BootstrapperV1.13.exe
-
Size
231KB
-
Sample
240805-dlrv9avfmp
-
MD5
282abb0f0ec32631b00061b682a1d930
-
SHA1
48497f3020dbbe6d1f74654d3df0995ccbee2f16
-
SHA256
78f8fb8537ad3b8545788459cb6429ebbae3bfca197b6396bf197857789cc32f
-
SHA512
1a90ccba732d8d4eb6db1b79c496c536f9021cc63a5202619fb7a133b06c61e5875df62c39a532230cdd1ab81c3a9d8b14d80f430925f05eb760a66d63f76ce2
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4upqVKInDAHZMK7bCD+Qb8e1mipi:joZtL+EP8upqVKInDAHZMK7bCDT5w
Behavioral task
behavioral1
Sample
BootstrapperV1.13.exe
Resource
win7-20240729-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1267765281216794646/lx9j6q1Dzqb93V7znVQDCxb5MQYo-P_nPkX7SZyoUosbxCFbPkNDLm9ahT6TFD_sDEWT
Targets
-
-
Target
BootstrapperV1.13.exe
-
Size
231KB
-
MD5
282abb0f0ec32631b00061b682a1d930
-
SHA1
48497f3020dbbe6d1f74654d3df0995ccbee2f16
-
SHA256
78f8fb8537ad3b8545788459cb6429ebbae3bfca197b6396bf197857789cc32f
-
SHA512
1a90ccba732d8d4eb6db1b79c496c536f9021cc63a5202619fb7a133b06c61e5875df62c39a532230cdd1ab81c3a9d8b14d80f430925f05eb760a66d63f76ce2
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4upqVKInDAHZMK7bCD+Qb8e1mipi:joZtL+EP8upqVKInDAHZMK7bCDT5w
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1