General

  • Target

    37798198d3649f8171286118fd320fe2

  • Size

    2.7MB

  • Sample

    231231-qf1mesbad5

  • MD5

    37798198d3649f8171286118fd320fe2

  • SHA1

    e4d54a7c1dec833f20a6ff922388bac3b0a8546f

  • SHA256

    04e942767c6c9744ef7eb6d3cc342239b8feaacd4df3c5e542b85177c0fbd97f

  • SHA512

    04f6b778a1920686a8c831be6a827df8997c70b5f2148470142748388d8719f78c553ca462000323bc96c9dc0443addaed636687743ed6df159bab3e90e45838

  • SSDEEP

    12288:lmsZymTeEa4vxX8Y4psEDM44IR//XjlYFq1XIJrgjawytjSu76nPK91s38NOu6Nb:ol

Malware Config

Targets

    • Target

      37798198d3649f8171286118fd320fe2

    • Size

      2.7MB

    • MD5

      37798198d3649f8171286118fd320fe2

    • SHA1

      e4d54a7c1dec833f20a6ff922388bac3b0a8546f

    • SHA256

      04e942767c6c9744ef7eb6d3cc342239b8feaacd4df3c5e542b85177c0fbd97f

    • SHA512

      04f6b778a1920686a8c831be6a827df8997c70b5f2148470142748388d8719f78c553ca462000323bc96c9dc0443addaed636687743ed6df159bab3e90e45838

    • SSDEEP

      12288:lmsZymTeEa4vxX8Y4psEDM44IR//XjlYFq1XIJrgjawytjSu76nPK91s38NOu6Nb:ol

    • A310logger

      A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • Detect ZGRat V1

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • A310logger Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks