Overview

overview

10

Static

static

gat.exe

windows7-x64

10

gat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gat.exe

  • Size

    601KB

  • MD5

    add0d682444f2f406e9dfe65a392e74e

  • SHA1

    08d8d51581a189be5beb3f3bb8886b6af250d170

  • SHA256

    beb46012919018735132f1ca08c31ac870b2be20e97a4b3fac463616c5504fa0

  • SHA512

    eccbd3d740d04c372207af34504258882566c4395395e0795143f492c148e2b58a6d33c812810ba35da68578288299c8cd077bcde9d1fd0ad7febb29be09029c

  • SSDEEP

    12288:9Ou3XDG2/F8/C/QpJQJuGHc55JtsFVwv4h05AhH8XUplgGpsaTo:fG2/m/NJE8XJgV5hQwqNGps3

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 4 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gat.exe
    "C:\Users\Admin\AppData\Local\Temp\gat.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\klKpUWQ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\klKpUWQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD65.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:980
    • C:\Users\Admin\AppData\Local\Temp\gat.exe
      "C:\Users\Admin\AppData\Local\Temp\gat.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDD65.tmp
    Filesize

    1KB

    MD5

    57481529a45f9dbc7f6ae3a81d654ec5

    SHA1

    b50eac6dbdf11ff5236d767861dd64b6ee993f79

    SHA256

    b0f1d696b2a837bf08da4b0e44300cb82a03b2cf8bfda8f455ad9dd8597fd00d

    SHA512

    c977eca7b4d434e71d9589d343bbfa2d4880a2a5ecd92bdb7bc2d8a52ab3433e643aa3943ea695f8841a44136a0d631dc6523c2b7689c1260692bd431e836794

    Download Submit

  • memory/1032-63-0x0000000000E10000-0x0000000000E38000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1032-55-0x0000000076051000-0x0000000076053000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1032-56-0x00000000003C0000-0x00000000003DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1032-57-0x00000000004F0000-0x00000000004FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1032-58-0x0000000005450000-0x00000000054C4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1032-54-0x0000000000EC0000-0x0000000000F5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1056-81-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1056-76-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1056-83-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1056-78-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1840-69-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-72-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-64-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-67-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-65-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-85-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-88-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-86-0x0000000074E50000-0x00000000753FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2000-87-0x0000000074E50000-0x00000000753FB000-memory.dmp

    Filesize

    5.7MB

    Download