General
-
Target
QuotePDF.vbs
-
Size
444KB
-
Sample
220127-r757naeebl
-
MD5
d9f992f8020aa3a3bf5053657ae2b4e1
-
SHA1
04862f6295b1f63466eac99adbe9f28f678b4aab
-
SHA256
8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28
-
SHA512
1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a
Static task
static1
Behavioral task
behavioral1
Sample
QuotePDF.vbs
Resource
win7-en-20211208
Malware Config
Targets
-
-
Target
QuotePDF.vbs
-
Size
444KB
-
MD5
d9f992f8020aa3a3bf5053657ae2b4e1
-
SHA1
04862f6295b1f63466eac99adbe9f28f678b4aab
-
SHA256
8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28
-
SHA512
1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
StormKitty Payload
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
suricata: ET MALWARE StormKitty Data Exfil via Telegram
suricata: ET MALWARE StormKitty Data Exfil via Telegram
-
Async RAT payload
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-