Analysis
-
max time kernel
38s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
05-01-2024 11:43
General
-
Target
4399c21e668cbe469401638c66ef0519.exe
-
Size
398KB
-
MD5
4399c21e668cbe469401638c66ef0519
-
SHA1
6caabc0989fb59963f1178de1a528f0f50b7fe33
-
SHA256
dd28e77b8a4352128745bf0a5b8a7df5dc2cfd7b80dd5cb0ea300d95098cccc1
-
SHA512
02d09cd6b09f4ac680bb0d4748e72b347c37e87154c2422d8b879297fd48254608b598bb6b8db8a1258c9571f33f69e7ae791ec1e23682205cf517380d4bf4ff
-
SSDEEP
6144:+/LAKDz4XXXXXXXXXXXXXAWkcDVfe7BKJwhfgJeDs4fTe+dbOQXXXXXXXXXXXXX/:cI7mW4DNxk/w1DBX1
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
A310logger Executable 4 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"C:\Users\Admin\AppData\Local\Temp\4399c21e668cbe469401638c66ef0519.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3076 -ip 30761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.logFilesize
128B
MD53d238ac6dd6710907edf2ad7893a0ed2
SHA1b07aaeeb31bdc6e94097a254be088b092dc1fb68
SHA25602d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501
SHA512c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.logFilesize
496B
MD56f996b93c361c74ec395d765aa6ffc06
SHA1a72207288114c907b252cd4df50b644d40a818ae
SHA256c0b85961e52bcd146b854bb019c956e52e8f7d549cefbb5d3617f996e5328944
SHA51260ab9220dfcc6d012d02349ab8258502c98af5e513beefad816faef76c7e2d19dac73365612139c0ad4fcfeccd88924dfe39ca91b44abffdfd40368945357a3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
memory/1672-1-0x0000000002220000-0x0000000002222000-memory.dmpFilesize
8KB
-
memory/1672-0-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2244-62-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/2244-42-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/2244-44-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/2244-43-0x0000000001200000-0x0000000001210000-memory.dmpFilesize
64KB
-
memory/3184-61-0x00007FFE34B90000-0x00007FFE35531000-memory.dmpFilesize
9.6MB
-
memory/3184-59-0x00007FFE34B90000-0x00007FFE35531000-memory.dmpFilesize
9.6MB
-
memory/3184-58-0x0000000000990000-0x00000000009A0000-memory.dmpFilesize
64KB
-
memory/3184-57-0x00007FFE34B90000-0x00007FFE35531000-memory.dmpFilesize
9.6MB
-
memory/3900-12-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3900-4-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3900-2-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4748-9-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/4748-33-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/4748-26-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/4748-11-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/4748-10-0x00000000010D0000-0x00000000010E0000-memory.dmpFilesize
64KB
-
memory/4748-8-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/5084-31-0x00007FFE35440000-0x00007FFE35DE1000-memory.dmpFilesize
9.6MB
-
memory/5084-27-0x00007FFE35440000-0x00007FFE35DE1000-memory.dmpFilesize
9.6MB
-
memory/5084-25-0x0000000001660000-0x0000000001670000-memory.dmpFilesize
64KB
-
memory/5084-24-0x00007FFE35440000-0x00007FFE35DE1000-memory.dmpFilesize
9.6MB