General

  • Target

    shellbag anylizer.exe

  • Size

    302KB

  • Sample

    240807-qw4c9asfje

  • MD5

    722ed5e7ff86512f825d296e073413eb

  • SHA1

    cb452bdb2c77c3edbe46374fdebc8f6009798aa1

  • SHA256

    13b348cd229e23b0e55c9c2088a51916b819a369e363de8d11d7cb6391f29176

  • SHA512

    000fc1a7e61b0ea48056fba746aa3200545002797bf76519e5fe28d48ad30a093fc13860d05a07d697d19d246f627962782d1c1aa62d6e07aa7e6c19806f028a

  • SSDEEP

    1536:vUvlGtNL49D1Qo2u5hpisqGXfFHfrXEvIzVAXuiRp6EE8bMlnEfwGzod8MddBK1d:cvAT49D1l2SMubpxiBYe1oUJ2hsOFlD

Malware Config

Targets

    • Target

      shellbag anylizer.exe

    • Size

      302KB

    • MD5

      722ed5e7ff86512f825d296e073413eb

    • SHA1

      cb452bdb2c77c3edbe46374fdebc8f6009798aa1

    • SHA256

      13b348cd229e23b0e55c9c2088a51916b819a369e363de8d11d7cb6391f29176

    • SHA512

      000fc1a7e61b0ea48056fba746aa3200545002797bf76519e5fe28d48ad30a093fc13860d05a07d697d19d246f627962782d1c1aa62d6e07aa7e6c19806f028a

    • SSDEEP

      1536:vUvlGtNL49D1Qo2u5hpisqGXfFHfrXEvIzVAXuiRp6EE8bMlnEfwGzod8MddBK1d:cvAT49D1l2SMubpxiBYe1oUJ2hsOFlD

    • Modifies Windows Defender Real-time Protection settings

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks