thunderkittystealer | bde17c0301047fac8609321d071edb5d857c68cc9d044ee01f6fa96990bd6e06 | Triage

Sharing

General

Target

skeet (1234).zip
Size

4.1MB
Sample

241017-k7g2ha1ejd
MD5

3479ced9a8a15de0712a7f5bdc2f82f1
SHA1

381b2f269191c65d801f33e98c4afdbd7523fe7f
SHA256

bde17c0301047fac8609321d071edb5d857c68cc9d044ee01f6fa96990bd6e06
SHA512

cccb183e9bfa6e017cd8a67125f6c49daf1d203f5f687ee36bc000fe0d240ab8b94129c48d3c708cecdaa10279e2ae5d247e93d5aadfc8c65ece18ea3923b0d0
SSDEEP

98304:wjpB+Z+4P6th1sNl/kbJE2LhIzU5fUZoNQik4I:8rh6T/eJE2LhIAcx4I

Score

10^/10

thunderkittystealer discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

thunderkittystealer

C2

https://api.telegram.org/bot5521728363:AAEyeNcSOq8nab7CC91r_S3JELAEQsGbRlg/sendMessage?chat_id=1693007947

Targets

- Target
  
  skeet.exe
- Size
  
  9.8MB
- MD5
  
  5caf8a4e165d0ede23ca16c1954e6e4e
- SHA1
  
  298f055ae4c3fee613b994c2450454b4ca311abe
- SHA256
  
  889fcffb92c1e52ec1ed263476298bf0dee82c5dddbcf0e5e0c9e6c42cfd55b0
- SHA512
  
  74e5950bd46e169ad3583f2155b2ef414e6f862fd26bbf1f32bc3b91a0ef03e15b76967d58661b3a1d273303f12103d650b659ddc6684be5de0e58746dc52c97
- SSDEEP
  
  98304:C3BUxzQ38BsPGlgw97DB7prt8EREv/lLl8EnGpaeiWZ:C3138Bdxiv/lLl8PZ
Score

9^/10

discovery evasion execution persistence privilege_escalation spyware stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Network Service Discovery

Permission Groups Discovery

Local Groups

System Information Discovery

System Network Configuration Discovery

Wi-Fi Discovery

System Network Connections Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

thunderkittystealer

behavioral1

discoveryevasionexecutionpersistenceprivilege_escalationspywarestealer