Overview

overview

10

Static

static

7

fe5302bba9...18.exe

windows7-x64

10

fe5302bba9...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe5302bba9df06cf475640244474f020_JaffaCakes118

  • Size

    3.5MB

  • Sample

    240929-metwpstbrc

  • MD5

    fe5302bba9df06cf475640244474f020

  • SHA1

    9b3709925811bb759047209a183ae6b1a5424462

  • SHA256

    0382d5a4514cea3a47d9d4fac22605cb246f33f90613c805772d4e2236f4fda3

  • SHA512

    6337c089a3a198a585d379605c65b55c4025806d16c9432a537d7f0d7836a9f45d1c7b003089616c9306a1111dfd284382ae25025c34d6fb7881edc0b7b350bd

  • SSDEEP

    98304:P+cZyY7EmZTubjvsTowt/OyJ2KEJWOaT0:PFEmZAjvs0wJjYMK

Score
10/10
stormkittycollectiondiscoveryevasionstealerthemidatrojan

Malware Config

Targets

    • Target

      fe5302bba9df06cf475640244474f020_JaffaCakes118

    • Size

      3.5MB

    • MD5

      fe5302bba9df06cf475640244474f020

    • SHA1

      9b3709925811bb759047209a183ae6b1a5424462

    • SHA256

      0382d5a4514cea3a47d9d4fac22605cb246f33f90613c805772d4e2236f4fda3

    • SHA512

      6337c089a3a198a585d379605c65b55c4025806d16c9432a537d7f0d7836a9f45d1c7b003089616c9306a1111dfd284382ae25025c34d6fb7881edc0b7b350bd

    • SSDEEP

      98304:P+cZyY7EmZTubjvsTowt/OyJ2KEJWOaT0:PFEmZAjvs0wJjYMK

    Score
    10/10
    stormkittydiscoveryevasionstealerthemidatrojancollection

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks