General
-
Target
BootstrapperV1.13.rar
-
Size
79KB
-
Sample
240906-ts5npawglf
-
MD5
88e52f784ad35aff3b37046d8fc152a5
-
SHA1
d86313ca8a39d844f767d0f70de4bb68b8e2bb04
-
SHA256
683532c9ddccd09aac6480c255099963803eac956ea1d5597c772ff13a8a7a31
-
SHA512
82b9aae88dd61416e011f29d092201b0609c0e5d25126343062b548240e585ad1dcd01cbc73fbe0056becf3b060716cb56d35bba1080c441eb01e4c0b173d1c3
-
SSDEEP
1536:mpcWhrJks7JCizXkmQQU6eGMgBBXv+RPk5xH9griGKmhBGXzs9Xau:qX7JCiLMBbyvY8CC40js9N
Behavioral task
behavioral1
Sample
BootstrapperV1.13.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BootstrapperV1.13.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
BootstrapperV1.13.exe
Resource
win7-20240729-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1267765278348152842/-kPKB4JdOggRN8137Je53csdEwdD1XV1iw7mGKhIQuAM7kIz_LwCjyjE2Ekxy7ebgeJr
Targets
-
-
Target
BootstrapperV1.13.rar
-
Size
79KB
-
MD5
88e52f784ad35aff3b37046d8fc152a5
-
SHA1
d86313ca8a39d844f767d0f70de4bb68b8e2bb04
-
SHA256
683532c9ddccd09aac6480c255099963803eac956ea1d5597c772ff13a8a7a31
-
SHA512
82b9aae88dd61416e011f29d092201b0609c0e5d25126343062b548240e585ad1dcd01cbc73fbe0056becf3b060716cb56d35bba1080c441eb01e4c0b173d1c3
-
SSDEEP
1536:mpcWhrJks7JCizXkmQQU6eGMgBBXv+RPk5xH9griGKmhBGXzs9Xau:qX7JCiLMBbyvY8CC40js9N
Score3/10 -
-
-
Target
BootstrapperV1.13.exe
-
Size
229KB
-
MD5
224b37147484176752b12af33b9efd96
-
SHA1
d2fbb87ff49e0e80e8585b449fac349688d02f23
-
SHA256
2133a2c5f4a04d8ffe1ea436d035917ad16c50fa011b021c95c71f2660e67033
-
SHA512
e374e69dad1b3ad39887163e6c8cd07a88e36b167b91b0eeb8a5296f7345ea4c97e6e8e009193b321524f5326118900933e4657b0177b702036525d42c508704
-
SSDEEP
6144:9loZM+rIkd8g+EtXHkv/iD4lePZsyVtG/TOMdRYz7b8e1m4i:foZtL+EP8lePZsyVtG/TOMdRYDu
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1