Analysis
-
max time kernel
63s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
04-01-2024 20:18
General
-
Target
41c3b05debb26645393a5c7253f28e77.exe
-
Size
594KB
-
MD5
41c3b05debb26645393a5c7253f28e77
-
SHA1
e1e8fcfdc15c34f7e1ce974e4278e79879fe86ae
-
SHA256
584a847c7e779a2951440152072b93e4ecccb1b86148a2e289c2ccb86962ac34
-
SHA512
c24771dee7d0e7651b2530623332c28b434da98cc3dbadf3af597225d71a9f2c699bd65f9155424ded2e3902ca1a2f63bc234345b10db9f06e724e9d90ec8351
-
SSDEEP
12288:SfX25LrCxNuYlc+zakllH7RaR00QHtHx6fsZAvantxK13v6pcL4cUikDXR6sVc+i:SfX25LrCxNuYlcSXt0ehkASIN3CTmv+
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
-
A310logger Executable 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD502031dac40cf01757ab304d7b3f87735
SHA19d0714c5a464fab578d6bc068cfc1088e9e426e0
SHA2562a4aebaa5470e8f20b28a1e9a028894fdd0e32c7275ceac79f3671372ce842ff
SHA5123275f656df052c4be33e685a48dc915561eca460dfd9b36ad79a1c5c51ad9e566861549a964a02c21b33b8bf4ef80140ff20132f8f6e1ffb134c132453dbf14b
-
C:\Users\Admin\AppData\Local\Temp\Cab9658.tmpFilesize
59KB
MD552a468d9828839b86863cc84d42b7138
SHA17a2ecc7bed634dfaaf15f3b9de855fe0c731158a
SHA256e6241a5a49dfcbb8cecfafe7d60461dc4da4433e85ef1308613d7af70f0fdd4d
SHA512f346ce1906f4fcf8b6eb64b8ee60a498b9da901b29fb8820824f4431de9dc7a553474b1aa54602b420d759b3c4319b21bf5219a03c0667be33289f854ea61f04
-
C:\Users\Admin\AppData\Local\Temp\Tar9716.tmpFilesize
55KB
MD5cdd8eb52e9041b27568f467ffbc8bb9f
SHA1897d2c873636e235e2b2a7cd00f9a9ca39858c46
SHA256fac78fb97137e27b7ac5851b6de766515e964bf183034a16ac111ba6aef1acdb
SHA5121f6c4f63058debba539980ffdd4bc5f6db1eef53001d88d065b67ecff77e77a3c173d53ce42eaa7a0c760282973af98f774c89800a6bafbf581f7466539c6d03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
memory/1856-104-0x000007FEF56B0000-0x000007FEF604D000-memory.dmpFilesize
9.6MB
-
memory/1856-105-0x000007FEF56B0000-0x000007FEF604D000-memory.dmpFilesize
9.6MB
-
memory/2080-32-0x00000000740F0000-0x000000007469B000-memory.dmpFilesize
5.7MB
-
memory/2080-21-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2080-29-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2080-27-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2080-34-0x00000000740F0000-0x000000007469B000-memory.dmpFilesize
5.7MB
-
memory/2080-33-0x0000000000B70000-0x0000000000BB0000-memory.dmpFilesize
256KB
-
memory/2080-106-0x00000000740F0000-0x000000007469B000-memory.dmpFilesize
5.7MB
-
memory/2080-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2080-23-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2080-31-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2080-19-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2080-17-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2096-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2108-1-0x0000000000090000-0x0000000000190000-memory.dmpFilesize
1024KB
-
memory/2108-2-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/2360-11-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2360-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2360-3-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2712-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB