Extracted

• • Target

    BootstrapperNew.exe

  • Size

    2.6MB

  • MD5

    e50282436ad44eb8ec3e08ecaabec2e0

  • SHA1

    1a7e345b90ec4087884185dbd0b40164248ecfd0

  • SHA256

    6068e700d44fbc4a38a0bb7b05262da684eb53ae6689fea9dfa5b1411f123922

  • SHA512

    e4027dac84e1fa9109426fdf8b52a86e5e1fbf66b64924d2cc132acf2dc4becfc6595076688fef6d0b27b40bc687c4883203524c81b0c01242d7743a713e9eaf

  • SSDEEP

    49152:Exkczo+Et3EczvDrtkm3wmTwGyNqXhp3z182x0r8HQ4PhrYLg8hVYMz+PT:EE+YplNwGyNm3Z/x0wCX

  Score

  10^/10

  umbralexecutionpersistencespywarestealer

  • Detect Umbral payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1