Overview

overview

10

Static

static

QuotePDF.vbs

windows7_x64

10

QuotePDF.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QuotePDF.vbs

  • Size

    444KB

  • Sample

    220127-r757naeebl

  • MD5

    d9f992f8020aa3a3bf5053657ae2b4e1

  • SHA1

    04862f6295b1f63466eac99adbe9f28f678b4aab

  • SHA256

    8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28

  • SHA512

    1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a

Score
10/10
asyncratstormkittyratspywarestealersuricata

Malware Config

Targets

    • Target

      QuotePDF.vbs

    • Size

      444KB

    • MD5

      d9f992f8020aa3a3bf5053657ae2b4e1

    • SHA1

      04862f6295b1f63466eac99adbe9f28f678b4aab

    • SHA256

      8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28

    • SHA512

      1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a

    Score
    10/10
    asyncratstormkittyratspywarestealersuricata

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty Payload

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata

    • suricata: ET MALWARE StormKitty Data Exfil via Telegram

      suricata: ET MALWARE StormKitty Data Exfil via Telegram

      suricata

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks