General

  • Target

    INVOICE#09090002.zip

  • Size

    492KB

  • Sample

    210903-g3xplsffhk

  • MD5

    7f1ce620a6c5048705cd032ac3cf2f96

  • SHA1

    f4cc8fa114282b7933ddd2809a48b486face915b

  • SHA256

    00ee2269f8eef58b09aec3b8f2f57694d84cd1e71f0df0b39e50a185147d0eeb

  • SHA512

    0faaed7f3e34deb386bdfbe76d3fa854d57a5dd6177c3f2c684df8478fd2d539f4703939841a976e0550587623d1284125a999bbeb9cc822fafbd62d0aa5e1ea

Malware Config

Targets

    • Target

      INVOICE#09090002.exe

    • Size

      592KB

    • MD5

      8146345093404dfc79a943b0da184e47

    • SHA1

      1472f04b7d707f523bc98975fc593c78ae5f4710

    • SHA256

      f0f118c8bca327b5a4d164509fae627e4bd37b087abc1b7c2e337bfc8e3ff90e

    • SHA512

      a8c3e5cb167bd8a104af57339cf997e052426817a4784bfde13e768d9f54aeee8bd39cad5ecbe4a61de561261709003caad7864d6e7b53871ae125c3d4d472cd

    • A310logger

      A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty Payload

    • A310logger Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks