General

  • Target

    INVOICE#0909000.exe

  • Size

    597KB

  • Sample

    210824-ae2ez7v97s

  • MD5

    2fa857766a51190a35c523d1e668c419

  • SHA1

    a03a3e40fea2601e2b745b6d111d8b50384f1bd5

  • SHA256

    32635c5f985aa62687009145f91b4523b781bea2faa94f7864d2ff16ab0a14ef

  • SHA512

    3c54fd2dcfce7e412b8fe2bf328b7feb22dc2eabc24b14040255b7844280c0b4e5d9860c3e244fd90e5702b51454a406039bfd4edd245ee0f530eac4ed191556

Malware Config

Targets

    • Target

      INVOICE#0909000.exe

    • Size

      597KB

    • MD5

      2fa857766a51190a35c523d1e668c419

    • SHA1

      a03a3e40fea2601e2b745b6d111d8b50384f1bd5

    • SHA256

      32635c5f985aa62687009145f91b4523b781bea2faa94f7864d2ff16ab0a14ef

    • SHA512

      3c54fd2dcfce7e412b8fe2bf328b7feb22dc2eabc24b14040255b7844280c0b4e5d9860c3e244fd90e5702b51454a406039bfd4edd245ee0f530eac4ed191556

    • A310logger

      A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty Payload

    • A310logger Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks