Malware Analysis Report

2024-09-23 02:06

Sample ID 240614-ktlsjatbne
Target 2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcrab_gh0st_hublo_inception_limerat_mailto_njrat_petya_rifdoor_sakula_scarhikn_trickbot_xiaoba_zloader
SHA256 5aaa80bc6f4bafdc40f59beda4af6c7075455733977153ac031c28e65307e2ef
Tags
stormkitty metasploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5aaa80bc6f4bafdc40f59beda4af6c7075455733977153ac031c28e65307e2ef

Threat Level: Known bad

The file 2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcrab_gh0st_hublo_inception_limerat_mailto_njrat_petya_rifdoor_sakula_scarhikn_trickbot_xiaoba_zloader was found to be: Known bad.

Malicious Activity Summary

stormkitty metasploit

Detects Reflective DLL injection artifacts

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables manipulated with Fody

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing commands for clearing Windows Event Logs

Gandcrab Payload

StormKitty payload

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Stormkitty family

Metasploit family

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables packed with Enigma

UPX dump on OEP (original entry point)

Detects executables packed with ConfuserEx Custom; outside of GIT

Detects executables packed with ConfuserEx Mod

Detects executables packed with SmartAssembly

Unsigned PE

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:53

Signatures

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing commands for clearing Windows Event Logs

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Custom; outside of GIT

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with Enigma

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Gandcrab Payload

Description Indicator Process Target
N/A N/A N/A N/A

Metasploit family

metasploit

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:53

Platform

win7-20240221-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcr.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcr.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcr.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:53

Platform

win10v2004-20240508-en

Max time kernel

0s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcr.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcr.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd90b11f1be5fa2b5a917736df5f28a6_agent-tesla_allaple_blacknet_cobalt-strike_floxif_gandcr.exe"

Network

Files

N/A