General
-
Target
CrypticBootstrapper.exe
-
Size
234KB
-
Sample
250203-rqmnzstlbt
-
MD5
382b946582beaad5ee5c50ac21d0ded1
-
SHA1
26ab22955ed978b232503e710a226c8f9332c835
-
SHA256
587849a5a71af2928ecc82f0fa9f405b898e69d1c93e6d7102f29a38abf988eb
-
SHA512
bab1487bfd8f10753a4022336c026fb3e8f77cae371d0a8c861c36c4e1c101c999b4ec46dac55f01439d74441e86fdb30ae9dfb7bf6fd60b3c12f5f9103e0c80
-
SSDEEP
6144:zloZMLrIkd8g+EtXHkv/iD4xI/s48e1mF0i:xoZ0L+EP8xgO9
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1335977142105805066/saBJFpemhgpqIhPO9s0jhP8iTAqE0d3R-z8FkBfVvQQdRG1xCG5fraYk08OjbsNg8dZz
Targets
-
-
Target
CrypticBootstrapper.exe
-
Size
234KB
-
MD5
382b946582beaad5ee5c50ac21d0ded1
-
SHA1
26ab22955ed978b232503e710a226c8f9332c835
-
SHA256
587849a5a71af2928ecc82f0fa9f405b898e69d1c93e6d7102f29a38abf988eb
-
SHA512
bab1487bfd8f10753a4022336c026fb3e8f77cae371d0a8c861c36c4e1c101c999b4ec46dac55f01439d74441e86fdb30ae9dfb7bf6fd60b3c12f5f9103e0c80
-
SSDEEP
6144:zloZMLrIkd8g+EtXHkv/iD4xI/s48e1mF0i:xoZ0L+EP8xgO9
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-