Analysis
-
max time kernel
93s -
max time network
80s -
platform
windows10-1703_x64 -
resource
win10-20240404-fr -
resource tags
arch:x64arch:x86image:win10-20240404-frlocale:fr-fros:windows10-1703-x64systemwindows -
submitted
27-04-2024 11:57
Behavioral task
behavioral1
Sample
Paid Combo Tools.rar
Resource
win10-20240404-fr
Behavioral task
behavioral2
Sample
Paid Combo Tools/Combo List Tools.pdb
Resource
win10-20240404-fr
Behavioral task
behavioral3
Sample
Paid Combo Tools/Paid combo Tools.exe
Resource
win10-20240404-fr
Behavioral task
behavioral4
Sample
Paid Combo Tools/SkinSoft.VisualStyler.dll
Resource
win10-20240404-fr
General
-
Target
Paid Combo Tools/Paid combo Tools.exe
-
Size
1.3MB
-
MD5
805ecd51386773aeec776cf15d78ef0f
-
SHA1
d16204be4bfda5563ccf2aed038a8c11826a2119
-
SHA256
105b24a1aff3552fd265ed4fc5af8c0266fd7d31a81b3033120020a62304e604
-
SHA512
47cac5f76e2a20ec14cf8dac56247816ee019106ceceb5a977805c7d8bb3cb3f8eb0c57981483094adcc4da9281d05a3403a1092e26265c5ef991effafae29ee
-
SSDEEP
24576:XveKmWCVMoQ3x99e/xz5DokDsIeKmWCVMoQ3x99e/xz5DokDseEKmeKmWCVMoQ3G:XvjFF3x9k/x5kkDDjFF3x9k/x5kkDiKv
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6003478563:AAG3aliPXpD1ZldBFn1R2thp1ARU2PprMtU/sendMessage?chat_id=6052812018
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\PRIVATE CHECKER.EXE family_stormkitty behavioral3/memory/60-11-0x00000000002A0000-0x00000000002D2000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\PRIVATE CHECKER.EXE family_asyncrat -
Executes dropped EXE 2 IoCs
Processes:
COMBO LIST TOOLS.EXEPRIVATE CHECKER.EXEpid process 4148 COMBO LIST TOOLS.EXE 60 PRIVATE CHECKER.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
Processes:
PRIVATE CHECKER.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini PRIVATE CHECKER.EXE File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini PRIVATE CHECKER.EXE File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini PRIVATE CHECKER.EXE File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini PRIVATE CHECKER.EXE File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini PRIVATE CHECKER.EXE File opened for modification C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini PRIVATE CHECKER.EXE File opened for modification C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini PRIVATE CHECKER.EXE File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini PRIVATE CHECKER.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in Program Files directory 2 IoCs
Processes:
Paid combo Tools.exedescription ioc process File created C:\Program Files (x86)\COMBO LIST TOOLS.EXE Paid combo Tools.exe File created C:\Program Files (x86)\PRIVATE CHECKER.EXE Paid combo Tools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2824 4148 WerFault.exe COMBO LIST TOOLS.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PRIVATE CHECKER.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 PRIVATE CHECKER.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier PRIVATE CHECKER.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PRIVATE CHECKER.EXEpid process 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE 60 PRIVATE CHECKER.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PRIVATE CHECKER.EXEdescription pid process Token: SeDebugPrivilege 60 PRIVATE CHECKER.EXE Token: SeDebugPrivilege 60 PRIVATE CHECKER.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Paid combo Tools.exePRIVATE CHECKER.EXEcmd.execmd.exedescription pid process target process PID 1688 wrote to memory of 4148 1688 Paid combo Tools.exe COMBO LIST TOOLS.EXE PID 1688 wrote to memory of 4148 1688 Paid combo Tools.exe COMBO LIST TOOLS.EXE PID 1688 wrote to memory of 4148 1688 Paid combo Tools.exe COMBO LIST TOOLS.EXE PID 1688 wrote to memory of 60 1688 Paid combo Tools.exe PRIVATE CHECKER.EXE PID 1688 wrote to memory of 60 1688 Paid combo Tools.exe PRIVATE CHECKER.EXE PID 1688 wrote to memory of 60 1688 Paid combo Tools.exe PRIVATE CHECKER.EXE PID 60 wrote to memory of 4604 60 PRIVATE CHECKER.EXE cmd.exe PID 60 wrote to memory of 4604 60 PRIVATE CHECKER.EXE cmd.exe PID 60 wrote to memory of 4604 60 PRIVATE CHECKER.EXE cmd.exe PID 4604 wrote to memory of 5104 4604 cmd.exe chcp.com PID 4604 wrote to memory of 5104 4604 cmd.exe chcp.com PID 4604 wrote to memory of 5104 4604 cmd.exe chcp.com PID 4604 wrote to memory of 2116 4604 cmd.exe netsh.exe PID 4604 wrote to memory of 2116 4604 cmd.exe netsh.exe PID 4604 wrote to memory of 2116 4604 cmd.exe netsh.exe PID 4604 wrote to memory of 3720 4604 cmd.exe findstr.exe PID 4604 wrote to memory of 3720 4604 cmd.exe findstr.exe PID 4604 wrote to memory of 3720 4604 cmd.exe findstr.exe PID 60 wrote to memory of 8 60 PRIVATE CHECKER.EXE cmd.exe PID 60 wrote to memory of 8 60 PRIVATE CHECKER.EXE cmd.exe PID 60 wrote to memory of 8 60 PRIVATE CHECKER.EXE cmd.exe PID 8 wrote to memory of 3584 8 cmd.exe chcp.com PID 8 wrote to memory of 3584 8 cmd.exe chcp.com PID 8 wrote to memory of 3584 8 cmd.exe chcp.com PID 8 wrote to memory of 2840 8 cmd.exe netsh.exe PID 8 wrote to memory of 2840 8 cmd.exe netsh.exe PID 8 wrote to memory of 2840 8 cmd.exe netsh.exe PID 60 wrote to memory of 316 60 PRIVATE CHECKER.EXE schtasks.exe PID 60 wrote to memory of 316 60 PRIVATE CHECKER.EXE schtasks.exe PID 60 wrote to memory of 316 60 PRIVATE CHECKER.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe"C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\COMBO LIST TOOLS.EXE"C:\Program Files (x86)\COMBO LIST TOOLS.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 9003⤵
- Program crash
-
C:\Program Files (x86)\PRIVATE CHECKER.EXE"C:\Program Files (x86)\PRIVATE CHECKER.EXE"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Program Files (x86)\PRIVATE CHECKER.EXE"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\COMBO LIST TOOLS.EXEFilesize
825KB
MD5de1c74b3096e1c1bf7373dd88afa9acf
SHA16bd8f04e8f1594802e298ac57d55d5bf3787e8f8
SHA256c4986d1e40fbf336e46fb9b70cf05befa222f04c27b406435a110d16e3c17836
SHA512dcb37164782e91568763ba5822233c42c21c4ff3822f944f2027f91732cd205ccfac8d3ea4e4ab9d79c7994c0adf61c0c3a9cf55d1687a3aec39e00dd3b554bf
-
C:\Program Files (x86)\PRIVATE CHECKER.EXEFilesize
175KB
MD57f4680b1d2a029e070ed7418660c459b
SHA1d0c77596dd6cd21e0953c058b7dc78ed6d292fbf
SHA256f802ffd8e77365dcd2e55b567f10513a98e3117b6601fd1a48b41572ece82f3f
SHA51256e70beb5721ecbb15e4551078940b8e94d0fc7658236f874051e2383a656f6b3d48b87aa74879d35bc6f1878c860035acd11f4d3df2fd1afebd7a583eb9ab04
-
C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\System\Process.txtFilesize
4KB
MD56d0d0799b8b15f71c97757224e912752
SHA12a93f292ebf38b68217c78beb2d180b8f5d1b780
SHA256bdfe7553ff0b38a1f8a4a6bddd38ce84e13b663c9d8b919e3cfcd956a37bc0f4
SHA51243ac95a97ce486978b3c3945392e09c135ff7d6b5f6e6169bcdbe2158790a78e322ea481bb2998c4121e512ee8cf4ab97dc77bd38d903350776eb82c7c134c91
-
C:\Users\Admin\AppData\Local\8b741d72f02884d5db39d33a5fbf3fcd\msgid.datFilesize
6B
MD558aa19b2723cd2f486a0d2f2f065b176
SHA152e9f3502a3af8e746b79fad539ce5cf28727b7f
SHA2568759256b1d0538b15f10ea0b1e8539f08806b18ffa91fc1c9cacf07c1cb93dc8
SHA5125f927dbf3dc5f6610524a7510e232c4598aba0c5951514fdbfb3b0245e5248b5e93920fe6b7f84adb1e058fc00df761718731b763f84e09f3ebd19aabc8ed6e1
-
memory/60-18-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/60-61-0x0000000005CA0000-0x0000000005CE2000-memory.dmpFilesize
264KB
-
memory/60-177-0x0000000004AE0000-0x0000000004AF0000-memory.dmpFilesize
64KB
-
memory/60-176-0x0000000073E50000-0x000000007453E000-memory.dmpFilesize
6.9MB
-
memory/60-16-0x0000000004AE0000-0x0000000004AF0000-memory.dmpFilesize
64KB
-
memory/60-174-0x0000000007450000-0x000000000745A000-memory.dmpFilesize
40KB
-
memory/60-12-0x0000000073E50000-0x000000007453E000-memory.dmpFilesize
6.9MB
-
memory/60-13-0x0000000004AF0000-0x0000000004B56000-memory.dmpFilesize
408KB
-
memory/60-149-0x0000000006710000-0x0000000006722000-memory.dmpFilesize
72KB
-
memory/60-143-0x0000000005E50000-0x0000000005E5A000-memory.dmpFilesize
40KB
-
memory/60-11-0x00000000002A0000-0x00000000002D2000-memory.dmpFilesize
200KB
-
memory/4148-10-0x00000000002D0000-0x00000000003A4000-memory.dmpFilesize
848KB
-
memory/4148-17-0x00000000058D0000-0x00000000059D2000-memory.dmpFilesize
1.0MB
-
memory/4148-175-0x0000000073E50000-0x000000007453E000-memory.dmpFilesize
6.9MB
-
memory/4148-15-0x0000000073E50000-0x000000007453E000-memory.dmpFilesize
6.9MB
-
memory/4148-14-0x00000000051C0000-0x00000000056BE000-memory.dmpFilesize
5.0MB