Analysis
-
max time kernel
40s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
05-01-2024 11:43
General
-
Target
4399c21e668cbe469401638c66ef0519.exe
-
Size
398KB
-
MD5
4399c21e668cbe469401638c66ef0519
-
SHA1
6caabc0989fb59963f1178de1a528f0f50b7fe33
-
SHA256
dd28e77b8a4352128745bf0a5b8a7df5dc2cfd7b80dd5cb0ea300d95098cccc1
-
SHA512
02d09cd6b09f4ac680bb0d4748e72b347c37e87154c2422d8b879297fd48254608b598bb6b8db8a1258c9571f33f69e7ae791ec1e23682205cf517380d4bf4ff
-
SSDEEP
6144:+/LAKDz4XXXXXXXXXXXXXAWkcDVfe7BKJwhfgJeDs4fTe+dbOQXXXXXXXXXXXXX/:cI7mW4DNxk/w1DBX1
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 7 IoCs
-
A310logger Executable 8 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52f56d46dd320df5d42c65b7ea6760268
SHA1ba1324f45d936e0e4318ae45e3bed9c8215db9c1
SHA256bddf96814caccf79387c13ab55d20c2ca432fd96b1d4a60c31f3732917bf4c1c
SHA5127f8c316ca054c378787e0e262067daae3b37b73660b0a520640d2c6ced4c0172c4aeceb59a5a87ef44b8d8065b888f63ecdca771bb74d7f28e33e0c781818f31
-
C:\Users\Admin\AppData\Local\Temp\CabF308.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmpFilesize
109KB
MD56f3a5a6c3b9eac80bc07a15cab733a71
SHA1947ab74a86cdd9b6099ea682fa8292e0e6023745
SHA256b9e2bb2a97c1d13c1e06a4918933299a004f0b2ce2a8baeab2d3a3731a0194ff
SHA5124bf59105a29a1a68f2d57b534fe7d8a02bfa799b8ee36689b893037cbad5e9bb18408d17ba6d104fcccb79f1dfbac937b71fceb668f8f8fec7158088bca23246
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
memory/1016-0-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1016-1-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/2124-158-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2124-160-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2124-159-0x0000000002390000-0x00000000023D0000-memory.dmpFilesize
256KB
-
memory/2124-187-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2124-151-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2168-25-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-4-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-2-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2220-17-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2220-23-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2220-26-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2220-28-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2220-24-0x0000000000C30000-0x0000000000C70000-memory.dmpFilesize
256KB
-
memory/2220-22-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2220-7-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2220-9-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2220-11-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2220-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2220-89-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2220-19-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2220-21-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2220-13-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2460-135-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2460-133-0x0000000000AE0000-0x0000000000B60000-memory.dmpFilesize
512KB
-
memory/2460-134-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2460-132-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2460-140-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2864-86-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/2864-88-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/2864-87-0x0000000000A10000-0x0000000000A90000-memory.dmpFilesize
512KB
-
memory/2976-185-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/2976-186-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/2980-107-0x0000000002250000-0x0000000002290000-memory.dmpFilesize
256KB
-
memory/2980-105-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2980-103-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2980-106-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2980-108-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2980-136-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2980-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB