General

  • Target

    MtaSa Spoofer.exe

  • Size

    33KB

  • Sample

    240324-wd6zbaha8t

  • MD5

    d6e54c65c404da05fc2f83bdd7a0bd4b

  • SHA1

    8e2a5fd728be4cd86de00a9f8e033738b1eb441a

  • SHA256

    e740b74006ab9e292ceca14a3b8a3e7cf87bea4f2f7ea1dc6f63e4c10b19d903

  • SHA512

    f1ec6cf2dcd835fd7d1e71cbab86e913a5baac8693be90d01116e361b32f3269d727bde9a5b2cad22695ce2ac19c63c7d2c8767b995de3bbb9f0a12bb1727b42

  • SSDEEP

    768:XdtAjPc3IhoI+JF7oIjmzRJKMz1QB6SRMW:It+P7oIjmzPZ1QoyMW

Malware Config

Targets

    • Target

      MtaSa Spoofer.exe

    • Size

      33KB

    • MD5

      d6e54c65c404da05fc2f83bdd7a0bd4b

    • SHA1

      8e2a5fd728be4cd86de00a9f8e033738b1eb441a

    • SHA256

      e740b74006ab9e292ceca14a3b8a3e7cf87bea4f2f7ea1dc6f63e4c10b19d903

    • SHA512

      f1ec6cf2dcd835fd7d1e71cbab86e913a5baac8693be90d01116e361b32f3269d727bde9a5b2cad22695ce2ac19c63c7d2c8767b995de3bbb9f0a12bb1727b42

    • SSDEEP

      768:XdtAjPc3IhoI+JF7oIjmzRJKMz1QB6SRMW:It+P7oIjmzPZ1QoyMW

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • UAC bypass

    • Disables RegEdit via registry modification

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks