General

  • Target

    NKPOY00987900K.zip

  • Size

    11KB

  • Sample

    210906-hlrbyaafc2

  • MD5

    79c795407867e917a7b5d39755455790

  • SHA1

    5f72e00c3e88e3b386b1fa5fdc3ae168531c651a

  • SHA256

    2079e40b5cbdef00232f13d540bb2e057952692a184d7a4c41daffe882943d4a

  • SHA512

    d8375bcd8bb30ad36563c80b5eee86441bc5552494ef9cb82c38454ef1fe3057b7d64526ee5ed5b6d31df52dc1ba155f41f22d594d22c1c141afbf22dfa98c02

Malware Config

Targets

    • Target

      NKPOY00987900K.exe

    • Size

      37KB

    • MD5

      519495b97861c5e3aa560ccbf16b6a00

    • SHA1

      d25dfc588f3462eb4bfb4360bf2822c5c8645ec5

    • SHA256

      990b62bd8929c8b736fdcf793edb869c350b1a47a7d14ae07f12f951b4d9d55d

    • SHA512

      7720caf3c3aed61ef4fc00c3f281f56b5fc547abee6a7c0014e77b465b6684ea657bba3de7a289ae4e7f5a3186bcceb589d19ea906471668d59cffdde6c8e03c

    • A310logger

      A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty Payload

    • A310logger Executable

    • Executes dropped EXE

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks