Overview

overview

10

Static

static

URLScan

urlscan

https://github.com/B...

windows7-x64

10

https://github.com/B...

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2023 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Bulldogfrfr/LaF-krunker-Client/blob/main/LaF_Setup_Windows_x64.exe

Score
10/10
stormkittystealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Bulldogfrfr/LaF-krunker-Client/blob/main/LaF_Setup_Windows_x64.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1688
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\LaF_Setup_Windows_x64.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\LaF_Setup_Windows_x64.exe"
      2⤵
      • Executes dropped EXE
      PID:320
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 320 -s 1124
        3⤵
        • Program crash
        PID:1956
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 416 -p 320 -ip 320
    1⤵
      PID:3840
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 540 -p 2488 -ip 2488
      1⤵
        PID:4336
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2488 -s 1688
        1⤵
        • Program crash
        PID:4376

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        14bf85de793cea23b81c15fb4078caac

        SHA1

        288eb197e359344a18d65724ff854bbe482be6fb

        SHA256

        a6a1d1ce7bbc768eeda3b115f96805c7a7b79b2a1d456810842bad24fcf6d1f1

        SHA512

        cb7bfb330f21e1d4ef49d92c86c77c12a58ad8fe37e57a745539f0902ef2bb063f6e4236146584c4dbd2c5d48510c7500577e7d0b41724ccad1f017cb2da70c1

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        f39c8ef8fb437cd8cbe1ec633bc6c870

        SHA1

        5c865e53370575bcfc79176aa42aab45edd1575a

        SHA256

        01e31868b33dc5ea3eb3a38fb81bc155b675b67106947c844fda4f7443ff3b81

        SHA512

        eb5b3780d96603c63e291fea02a56fa3d413f640ada694d2e4461c698c2acdea527773cb900853e8cf17d7d6696112da9c63b60289d4da6f69ed4757cbcaee11

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat
        Filesize

        1KB

        MD5

        d48190ec76f439fdbd471873f66e257c

        SHA1

        77852dea806764ba6d12377432e6c29bdf3a44e7

        SHA256

        9fa31c9742414707a128c2d12ba6dcb100230d77fae25481ad826a0f3b0904e6

        SHA512

        d973ba8383ef472990a98ad7d8cd2d3e2ed4f1250017b222b8ae9dfb5fd22f8f606e8b6d447da8874dc2d5c0abafa151899da4169f522e859cfe4a11e2353fa9

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\LaF_Setup_Windows_x64.exe
        Filesize

        63KB

        MD5

        25fc98107ffc3d6763b702f1167e913f

        SHA1

        aeaa8b4139771dbec081f34cd1e382e8317a9fbd

        SHA256

        19cd3bbcb2e7013aa7ac5240a481c059824d32ee039652a5cab79da08b84d4e6

        SHA512

        37a3accb6457fa7d9b8e647dab779ded49798e96efea2e11847ef354419ff39d4eb217dc3c88686bec8839b9f5be5dca2718647c93b0fdccd400928cc9457f35

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\LaF_Setup_Windows_x64.exe.v25p4cq.partial
        Filesize

        63KB

        MD5

        25fc98107ffc3d6763b702f1167e913f

        SHA1

        aeaa8b4139771dbec081f34cd1e382e8317a9fbd

        SHA256

        19cd3bbcb2e7013aa7ac5240a481c059824d32ee039652a5cab79da08b84d4e6

        SHA512

        37a3accb6457fa7d9b8e647dab779ded49798e96efea2e11847ef354419ff39d4eb217dc3c88686bec8839b9f5be5dca2718647c93b0fdccd400928cc9457f35

        Download Submit
      • memory/320-134-0x0000000000000000-mapping.dmp
        Download
      • memory/320-136-0x0000000000620000-0x0000000000636000-memory.dmp
        Filesize

        88KB

        Download
      • memory/320-137-0x00007FFB91930000-0x00007FFB923F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/320-138-0x00007FFB91930000-0x00007FFB923F1000-memory.dmp
        Filesize

        10.8MB

        Download