Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2023 13:21
Behavioral task
behavioral1
Sample
EulenCheat.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
EulenCheat.exe
Resource
win10v2004-20230703-en
General
-
Target
EulenCheat.exe
-
Size
2.2MB
-
MD5
e1c2e771756f041829406106d6c64f35
-
SHA1
fbd385c064784ca0a4252e56aa73ccdfe15004a3
-
SHA256
98069f38982bcc10318a09792dde1a12d4786b12ee3355cc505ca9f73d8726ea
-
SHA512
c594256833088c89657bf26564374239a6d5ba9125db4c9285c631e2ea73d393319e21e2d210d968fac6abdad0ad9b2d0399988169739671433a4df29fce2ef0
-
SSDEEP
49152:04/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2AATSANne:d/zXjaL4ZMHbLjQElAcfMDz+fNne
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/4296-133-0x0000000000400000-0x000000000063C000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 824 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4296 EulenCheat.exe 4296 EulenCheat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4296 EulenCheat.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4296 wrote to memory of 4372 4296 EulenCheat.exe 83 PID 4296 wrote to memory of 4372 4296 EulenCheat.exe 83 PID 4372 wrote to memory of 460 4372 cmd.exe 85 PID 4372 wrote to memory of 460 4372 cmd.exe 85 PID 4372 wrote to memory of 2396 4372 cmd.exe 86 PID 4372 wrote to memory of 2396 4372 cmd.exe 86 PID 4372 wrote to memory of 2256 4372 cmd.exe 87 PID 4372 wrote to memory of 2256 4372 cmd.exe 87 PID 4296 wrote to memory of 944 4296 EulenCheat.exe 88 PID 4296 wrote to memory of 944 4296 EulenCheat.exe 88 PID 944 wrote to memory of 2292 944 cmd.exe 90 PID 944 wrote to memory of 2292 944 cmd.exe 90 PID 944 wrote to memory of 788 944 cmd.exe 92 PID 944 wrote to memory of 788 944 cmd.exe 92 PID 944 wrote to memory of 2688 944 cmd.exe 93 PID 944 wrote to memory of 2688 944 cmd.exe 93 PID 4296 wrote to memory of 4364 4296 EulenCheat.exe 96 PID 4296 wrote to memory of 4364 4296 EulenCheat.exe 96 PID 4364 wrote to memory of 824 4364 cmd.exe 99 PID 4364 wrote to memory of 824 4364 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:460
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:2396
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:2256
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2292
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name=65001 key=clear3⤵PID:788
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:2688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:824
-
-