Extracted

• • Target

    ec241a262db494a9d7ba5a4f916376fa89cec1830846ffd396fa4869cbb52f9e.exe

  • Size

    618KB

  • MD5

    6e9f35ee6a2d29698b248c047d7d6934

  • SHA1

    b6d664d46551a496f1264aba26b18c5651d326be

  • SHA256

    ec241a262db494a9d7ba5a4f916376fa89cec1830846ffd396fa4869cbb52f9e

  • SHA512

    473b490a0c62ed3c7314efaa91a464e4c60c21151b8eb400f42fcd39cc0a1a43289bf0d1e2c91614c879e679d1081f0ea0e22e17cad2cf6b39ba642b6559a932

  • SSDEEP

    12288:cysSIqE2ERm+m359N77qRKkjylNBVvpQFU66oX:lfGzcN77qIkWlNBnQp

  Score

  10^/10

  snakekeyloggerstormkittycollectiondiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2