General

  • Target

    googlechrome.exe

  • Size

    83KB

  • Sample

    240503-ng65gsdc6t

  • MD5

    ebd777183fe6d13de63d12decad546c7

  • SHA1

    807cb8f56e9143e2144071f26c70b3ebdb6e1927

  • SHA256

    7ea06aaeaf6d72d04cbc3d94beb8b639b65ec2ee0e5cb4816cbff28790537f88

  • SHA512

    8650c4873b36a70af1ce4887121de957606fdf381205fee88b26de00069040cfafd8a4bf5668677ddfed1ac7654aeaa258fa93954f86594d31ba50298adb188a

  • SSDEEP

    1536:EAMfrTX01OrGpRZNdbv66Claewnph6Nu/FJdVK5uYpiVpXwvf9bPNhlxj0kOe6D:DDewnphDF0gVpCf9bXlh0kOem

Malware Config

Targets

    • Target

      googlechrome.exe

    • Size

      83KB

    • MD5

      ebd777183fe6d13de63d12decad546c7

    • SHA1

      807cb8f56e9143e2144071f26c70b3ebdb6e1927

    • SHA256

      7ea06aaeaf6d72d04cbc3d94beb8b639b65ec2ee0e5cb4816cbff28790537f88

    • SHA512

      8650c4873b36a70af1ce4887121de957606fdf381205fee88b26de00069040cfafd8a4bf5668677ddfed1ac7654aeaa258fa93954f86594d31ba50298adb188a

    • SSDEEP

      1536:EAMfrTX01OrGpRZNdbv66Claewnph6Nu/FJdVK5uYpiVpXwvf9bPNhlxj0kOe6D:DDewnphDF0gVpCf9bXlh0kOem

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks