General
-
Target
SilverClient.exe
-
Size
43KB
-
Sample
240902-2p4k8azajm
-
MD5
16edc9184a4f2e4c18200304594d43d9
-
SHA1
9328f1016cf247a13b110d6ece2826ba4ad5a8cf
-
SHA256
be652d4e5771a47651e037776bbd47e90d3ab7de28e61e3c86abfc4b76c813dd
-
SHA512
196f4c9b55d2883b4c7364aca90741a9e606952e2c798b2c4075a661768dab274b5b6683280404ff31eed98a11003991c67f7af4d61cf48dd131e7365a3cf74d
-
SSDEEP
768:UsvI7cIxr7BcD1wjWxYQ4xJNHVR8kq/5h34vCvZPxaxP4RULQv9S6HPz1QB6Si/o:UsvwcIxrgwkbcrq/5xcl4Gsv9j71QoJg
Malware Config
Targets
-
-
Target
SilverClient.exe
-
Size
43KB
-
MD5
16edc9184a4f2e4c18200304594d43d9
-
SHA1
9328f1016cf247a13b110d6ece2826ba4ad5a8cf
-
SHA256
be652d4e5771a47651e037776bbd47e90d3ab7de28e61e3c86abfc4b76c813dd
-
SHA512
196f4c9b55d2883b4c7364aca90741a9e606952e2c798b2c4075a661768dab274b5b6683280404ff31eed98a11003991c67f7af4d61cf48dd131e7365a3cf74d
-
SSDEEP
768:UsvI7cIxr7BcD1wjWxYQ4xJNHVR8kq/5h34vCvZPxaxP4RULQv9S6HPz1QB6Si/o:UsvwcIxrgwkbcrq/5xcl4Gsv9j71QoJg
Score10/10-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Disables RegEdit via registry modification
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Modifies WinLogon
-
Hide Artifacts: Hidden Users
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1