General
-
Target
anilator_protected.exe
-
Size
1.2MB
-
Sample
241013-a4ef4avbql
-
MD5
dabf4a7a3784c16fbac0987ea3ea77cc
-
SHA1
72528767bed8509ac1381231936acd099885a007
-
SHA256
519845112f4d4a6f126af8c63fc6c8c64614f4b3261659ae7f7d69527b75da19
-
SHA512
f54b661b9e0c935a5fdbfdf910dbc70eb702824908aa9f8211e8a3be38892235b28af69b9924a5b2e6989e6ee9634a50545d7387105fdc68e0fd43e1a1b39bda
-
SSDEEP
24576:c5fc0eFHXcNxa5GkGmbzp6XoNHKBzTGn6cTuwoAM85GlFQUXGfFbT2gjZQ5ooZ:QfF23c4Pp6YNHIzynouYQOU5KgjZho
Malware Config
Targets
-
-
Target
anilator_protected.exe
-
Size
1.2MB
-
MD5
dabf4a7a3784c16fbac0987ea3ea77cc
-
SHA1
72528767bed8509ac1381231936acd099885a007
-
SHA256
519845112f4d4a6f126af8c63fc6c8c64614f4b3261659ae7f7d69527b75da19
-
SHA512
f54b661b9e0c935a5fdbfdf910dbc70eb702824908aa9f8211e8a3be38892235b28af69b9924a5b2e6989e6ee9634a50545d7387105fdc68e0fd43e1a1b39bda
-
SSDEEP
24576:c5fc0eFHXcNxa5GkGmbzp6XoNHKBzTGn6cTuwoAM85GlFQUXGfFbT2gjZQ5ooZ:QfF23c4Pp6YNHIzynouYQOU5KgjZho
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Disables Task Manager via registry modification
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1