Analysis
-
max time kernel
1s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26-12-2023 17:13
General
-
Target
7f89e0d7af8a5d3aac55f8e431a7155d.exe
-
Size
561KB
-
MD5
7f89e0d7af8a5d3aac55f8e431a7155d
-
SHA1
e29ae62587d7f6bdd6a0c35b644a2ffd9f256275
-
SHA256
af06048a49faa8cc34dfc217cea2064b98e6776d4708d9d6f0d7c0c926ff3105
-
SHA512
def763a9ac715e9443d5afcac7bd8f3028ffa97f19766158fd3e5cdf710b7379182b18529858751422fc46cee79cfe90ade995d73f8e68b92fb560416450def3
-
SSDEEP
12288:GfX25krtcNSYIgaqmkllWvxgRs0QYst8Lny2Z7ECwfHP9Mkp/Km3fyBGme2:GfX25krtcNSYIgdu704a1/+/0Gmt
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
A310logger Executable 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f89e0d7af8a5d3aac55f8e431a7155d.exe"C:\Users\Admin\AppData\Local\Temp\7f89e0d7af8a5d3aac55f8e431a7155d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7f89e0d7af8a5d3aac55f8e431a7155d.exe"C:\Users\Admin\AppData\Local\Temp\7f89e0d7af8a5d3aac55f8e431a7155d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 801⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1772-24-0x0000000001060000-0x0000000001070000-memory.dmpFilesize
64KB
-
memory/1772-23-0x00007FFEDB6E0000-0x00007FFEDC081000-memory.dmpFilesize
9.6MB
-
memory/1772-29-0x00007FFEDB6E0000-0x00007FFEDC081000-memory.dmpFilesize
9.6MB
-
memory/1772-28-0x00007FFEDB6E0000-0x00007FFEDC081000-memory.dmpFilesize
9.6MB
-
memory/3248-3-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3248-32-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3248-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3712-55-0x0000000073DA0000-0x0000000074351000-memory.dmpFilesize
5.7MB
-
memory/3712-38-0x0000000073DA0000-0x0000000074351000-memory.dmpFilesize
5.7MB
-
memory/3712-39-0x0000000000F00000-0x0000000000F10000-memory.dmpFilesize
64KB
-
memory/3712-40-0x0000000073DA0000-0x0000000074351000-memory.dmpFilesize
5.7MB
-
memory/3924-31-0x0000000074090000-0x0000000074641000-memory.dmpFilesize
5.7MB
-
memory/3924-8-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3924-11-0x0000000074090000-0x0000000074641000-memory.dmpFilesize
5.7MB
-
memory/3924-9-0x0000000074090000-0x0000000074641000-memory.dmpFilesize
5.7MB
-
memory/3924-10-0x0000000001060000-0x0000000001070000-memory.dmpFilesize
64KB
-
memory/4388-1-0x00000000008B0000-0x00000000009B0000-memory.dmpFilesize
1024KB
-
memory/4388-2-0x0000000000DC0000-0x0000000000DC2000-memory.dmpFilesize
8KB
-
memory/4732-54-0x00007FFEDAB30000-0x00007FFEDB4D1000-memory.dmpFilesize
9.6MB
-
memory/4732-53-0x00007FFEDAB30000-0x00007FFEDB4D1000-memory.dmpFilesize
9.6MB
-
memory/4732-56-0x00007FFEDAB30000-0x00007FFEDB4D1000-memory.dmpFilesize
9.6MB