Overview

overview

10

Static

static

3

96739a4d39...c8.exe

windows7-x64

1

96739a4d39...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 06:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96739a4d394217c2cbd895cf16acc0c8.exe

  • Size

    455KB

  • MD5

    96739a4d394217c2cbd895cf16acc0c8

  • SHA1

    90af83fed1eb2652e133aad4f47f9354287f75a8

  • SHA256

    28fe91c48fa8583da9692cbdee3c2c32038d5dc3f8ca7dcd195f74511c1d6a78

  • SHA512

    846383b8cd6ff5208c96bf2063faff5c2fa1c1d5d714c11cb30d9aa84ad56f2435f70b2446cfc7006920a4b71dfc568bb36e03d5e8d077db757e673307729955

  • SSDEEP

    6144:FpJ+LBFdhgY3AgXUU6EEsgg/nzzYjzZnMUzpVltygvxTUpVP/KW+q9UT95GX:vArdGPqSENgg/KRpT/vxUpMLR5k

Score
10/10
a310loggerstormkittycollectionspywarestealer

Malware Config

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • A310logger Executable 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe
    "C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe
      "C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3064
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1564
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:3716
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.log
    Filesize

    128B

    MD5

    3d238ac6dd6710907edf2ad7893a0ed2

    SHA1

    b07aaeeb31bdc6e94097a254be088b092dc1fb68

    SHA256

    02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501

    SHA512

    c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log
    Filesize

    496B

    MD5

    5370d1dff94d27a9a6cfab002a5c444b

    SHA1

    fecadd9e884c57822ebeae897a3989c0e678fd1a

    SHA256

    0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946

    SHA512

    67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
    Filesize

    20KB

    MD5

    1bad0cbd09b05a21157d8255dc801778

    SHA1

    ff284bba12f011b72e20d4c9537d6c455cdbf228

    SHA256

    218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9

    SHA512

    4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
    Filesize

    1KB

    MD5

    538d5c3e683346a221e89d2b73031a48

    SHA1

    a068e14324ba61b478b91806f927f365c5323511

    SHA256

    c9a93abcb4dd3cd7636c06705d6204530bfb12a4abce8c209faf9ed4b5e11f88

    SHA512

    dfad7afeb9dc80ba910413373b84d4a3faa7236b626a9bef5fecdfcd5101ff2c2e2a197b8af238ff671ddcfab75f63543e55e0f222aa0d60cb3836e683d8e888

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
    Filesize

    9KB

    MD5

    a4afaa61456d573c55f2cca445767d71

    SHA1

    9cd85e295e1e98c9696aa6a34e554ce8ab3fc273

    SHA256

    1b2a30b6ffe8c2010ad4d8b171aa87fbcd99f699f1777e04fef018a81aaaa48e

    SHA512

    ecbc4506dd4a3cdd4d71d89ca43a6960328f14b9b7b74e36747239f04cd4b986b14b90febb4efce031f9b7b28337c9bf83aa063784059e738ebaf733fc0c193b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
    Filesize

    5KB

    MD5

    46fe20730ffdea3ac1ec630163d180cd

    SHA1

    47605cb197c9ae7ba88c0f0eb0c4e9e70aab1b05

    SHA256

    7b389a7f6431ce5c177a74c28bb0767a3bff940fcf64d8c1fca1abcbac08669c

    SHA512

    8cf7258ecac637700f7b4057d79595519cb8eb887cd2103fe8713b11526b8e16eea64ab9e662dedfdddb6cc57405ca2cd1ff35343079d0cabd3faed2ea0808df

    Download Submit

  • memory/436-4-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/436-2-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/436-32-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1564-55-0x00007FFD9D4C0000-0x00007FFD9DE61000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1564-54-0x00007FFD9D4C0000-0x00007FFD9DE61000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1564-53-0x00000000014F0000-0x0000000001500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1564-52-0x00007FFD9D4C0000-0x00007FFD9DE61000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2260-74-0x00007FFD9D570000-0x00007FFD9DF11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2260-73-0x00007FFD9D570000-0x00007FFD9DF11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2540-11-0x0000000001900000-0x0000000001910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2540-8-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2540-9-0x0000000074440000-0x00000000749F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-31-0x0000000074440000-0x00000000749F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-10-0x0000000074440000-0x00000000749F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3064-29-0x00007FFD9D980000-0x00007FFD9E321000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3064-24-0x0000000001880000-0x0000000001890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-27-0x00007FFD9D980000-0x00007FFD9E321000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3064-23-0x00007FFD9D980000-0x00007FFD9E321000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3716-61-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3716-75-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3716-60-0x00000000014B0000-0x00000000014C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3716-59-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4412-0-0x0000000000230000-0x0000000000270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4412-1-0x00000000014A0000-0x00000000014A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4412-5-0x0000000000230000-0x0000000000270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4472-38-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4472-56-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4472-39-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4472-37-0x00000000015B0000-0x00000000015C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-36-0x0000000074150000-0x0000000074701000-memory.dmp

    Filesize

    5.7MB

    Download