Analysis
-
max time kernel
6s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31-12-2023 08:49
General
-
Target
2fa857766a51190a35c523d1e668c419.exe
-
Size
597KB
-
MD5
2fa857766a51190a35c523d1e668c419
-
SHA1
a03a3e40fea2601e2b745b6d111d8b50384f1bd5
-
SHA256
32635c5f985aa62687009145f91b4523b781bea2faa94f7864d2ff16ab0a14ef
-
SHA512
3c54fd2dcfce7e412b8fe2bf328b7feb22dc2eabc24b14040255b7844280c0b4e5d9860c3e244fd90e5702b51454a406039bfd4edd245ee0f530eac4ed191556
-
SSDEEP
12288:pjxXyjFxBYSk/XE+DF7ruopsW+grfBecYSDE5JVKV6m9E1/E:pjlyZxBAXdZ75CgEcfDE5kKdE
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Detect ZGRat V1 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 7 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
A310logger Executable 8 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe"C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe"C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD572a7632027dedb229806ac3df1171a0d
SHA1f19bbd06eb66602398175af64d868fd4ed7333dc
SHA256a9e33dacc1bddf8d1e860361b5ca6b985850c68fa8403290f947bd3e5f6e2544
SHA512f63e3a89e69eab9fa5819762db0e0a7d14d1ed05009b0fa71d695ea5e64277f655c1356d9faaebaf2a49b6f7182d5ffa310b793175af7cbe644e814787128284
-
C:\Users\Admin\AppData\Local\Temp\Cab9E63.tmpFilesize
30KB
MD5c59b19dcf7725b5c2e3e148879a0f8ce
SHA1e83439d0edc1a4580cee5743bbe8091380015f14
SHA25653060476a1b8ae0812efdf4740d4de144ab47eba200320f13657d9ed44c3d041
SHA512680106501fcf309bcbb113ed843dbd7685a0b674cc05ac85e6b0d2ab3b0dc2c835f781fe13d2ebc775496ba6da50d7ae464821bb63c13e5ef55a501d8829725e
-
C:\Users\Admin\AppData\Local\Temp\Tar9F41.tmpFilesize
39KB
MD534325be3507824570b2b8f4219a6e121
SHA1b788bfeda0d4d8cbcc68b011f3dec9d6758dc4f0
SHA25622f6ca482d117df1cd1f288b5c4c72eab457a5401d2e3ed4dcca05baa444ca1e
SHA51290820b72619aa136275a5968ecaae8649bedf7c7b3dcde20b835316bd26b98b44b49f37a875b6cbf45cc42d6bcf5fbc82755331d9c546df91b5d894132dc02b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
memory/1528-159-0x000007FEF5650000-0x000007FEF5FED000-memory.dmpFilesize
9.6MB
-
memory/1528-155-0x000007FEF5650000-0x000007FEF5FED000-memory.dmpFilesize
9.6MB
-
memory/1528-157-0x000007FEF5650000-0x000007FEF5FED000-memory.dmpFilesize
9.6MB
-
memory/1528-156-0x0000000001F80000-0x0000000002000000-memory.dmpFilesize
512KB
-
memory/1956-107-0x000007FEF5450000-0x000007FEF5DED000-memory.dmpFilesize
9.6MB
-
memory/1956-106-0x000007FEF5450000-0x000007FEF5DED000-memory.dmpFilesize
9.6MB
-
memory/2252-11-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2252-14-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2252-102-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2252-7-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2252-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2252-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2252-6-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2372-158-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/2372-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2372-131-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/2372-130-0x0000000000360000-0x00000000003A0000-memory.dmpFilesize
256KB
-
memory/2372-126-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2372-129-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/2372-128-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2508-13-0x0000000074130000-0x000000007481E000-memory.dmpFilesize
6.9MB
-
memory/2508-1-0x0000000074130000-0x000000007481E000-memory.dmpFilesize
6.9MB
-
memory/2508-4-0x0000000000380000-0x0000000000396000-memory.dmpFilesize
88KB
-
memory/2508-3-0x0000000004AA0000-0x0000000004AE0000-memory.dmpFilesize
256KB
-
memory/2508-2-0x0000000000C70000-0x0000000000CE8000-memory.dmpFilesize
480KB
-
memory/2508-0-0x00000000010B0000-0x000000000114A000-memory.dmpFilesize
616KB
-
memory/2768-27-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2768-108-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/2768-103-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/2768-33-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/2768-34-0x0000000000C70000-0x0000000000CB0000-memory.dmpFilesize
256KB
-
memory/2768-32-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/2768-17-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2768-19-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2768-21-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2768-23-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2768-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2768-29-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2768-31-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB