General

  • Target

    BootstrapperV1.13.exe

  • Size

    231KB

  • Sample

    240805-dlrv9avfmp

  • MD5

    282abb0f0ec32631b00061b682a1d930

  • SHA1

    48497f3020dbbe6d1f74654d3df0995ccbee2f16

  • SHA256

    78f8fb8537ad3b8545788459cb6429ebbae3bfca197b6396bf197857789cc32f

  • SHA512

    1a90ccba732d8d4eb6db1b79c496c536f9021cc63a5202619fb7a133b06c61e5875df62c39a532230cdd1ab81c3a9d8b14d80f430925f05eb760a66d63f76ce2

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4upqVKInDAHZMK7bCD+Qb8e1mipi:joZtL+EP8upqVKInDAHZMK7bCDT5w

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1267765281216794646/lx9j6q1Dzqb93V7znVQDCxb5MQYo-P_nPkX7SZyoUosbxCFbPkNDLm9ahT6TFD_sDEWT

Targets

    • Target

      BootstrapperV1.13.exe

    • Size

      231KB

    • MD5

      282abb0f0ec32631b00061b682a1d930

    • SHA1

      48497f3020dbbe6d1f74654d3df0995ccbee2f16

    • SHA256

      78f8fb8537ad3b8545788459cb6429ebbae3bfca197b6396bf197857789cc32f

    • SHA512

      1a90ccba732d8d4eb6db1b79c496c536f9021cc63a5202619fb7a133b06c61e5875df62c39a532230cdd1ab81c3a9d8b14d80f430925f05eb760a66d63f76ce2

    • SSDEEP

      6144:RloZM+rIkd8g+EtXHkv/iD4upqVKInDAHZMK7bCD+Qb8e1mipi:joZtL+EP8upqVKInDAHZMK7bCDT5w

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.