Analysis
-
max time kernel
362s -
max time network
887s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-10-2024 06:04
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Find Wallet v3.2-Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Find Wallet v3.2-Crack.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
Find Wallet v3.2-Crack.exe
Resource
win11-20241007-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000900000001ab3d-6.dat family_stormkitty behavioral2/memory/332-17-0x0000000000ED0000-0x0000000000F26000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 332 Client.exe 1560 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\ProgramData\YBQDFVLH\FileGrabber\Desktop\desktop.ini Client.exe File opened for modification C:\ProgramData\YBQDFVLH\FileGrabber\Desktop\desktop.ini Client.exe File created C:\ProgramData\YBQDFVLH\FileGrabber\Documents\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com 1 freegeoip.app 3 freegeoip.app 17 api.ipify.org 18 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe 332 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 332 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4160 wrote to memory of 332 4160 Find Wallet v3.2-Crack.exe 73 PID 4160 wrote to memory of 332 4160 Find Wallet v3.2-Crack.exe 73 PID 4160 wrote to memory of 332 4160 Find Wallet v3.2-Crack.exe 73 PID 4160 wrote to memory of 1560 4160 Find Wallet v3.2-Crack.exe 74 PID 4160 wrote to memory of 1560 4160 Find Wallet v3.2-Crack.exe 74 PID 4160 wrote to memory of 1560 4160 Find Wallet v3.2-Crack.exe 74 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:332
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
710KB
MD5c6af739734599b00a2f016907810baf4
SHA1a69512077197cb823701bf1e19f4fec8d138eed8
SHA2563783ab69a3923413f54d63c6f80ba8a1ffe8c8813ca6dfb1e5e2a8ff60953a07
SHA5122c91009e1d89002d51cfca23ce6885388122e42e1e9aafc4ccebcdcfe69a05942cc00ab510fa5aa01108605d5cdf0572619716c86160d9239da93e8cc5f03a5b
-
Filesize
888KB
MD5b187069f7c80830671986b842522b771
SHA1260d8aaadbc42b59f058319ebe181bec8f39e71d
SHA256ffa14dd0cda790483877e7b4950af7d9abfa7f380e7ddb4413d44289544644c2
SHA5122ad755693f3dcdc0e623f704d9164ccc65a772e00c1965e36e6fd200887035f878ea932d0750cd532980ed990da58199a05af5c22186dacbb2ea7c51decba005
-
Filesize
600KB
MD5c80fa5231928fc074d3953d5ceb3b662
SHA156d3aa4ddee8086e83ed5b3372b4af0d8b46f6b8
SHA25642fbcc361c34fbaf60ac3122244856d961b9fd5f3513d460096215f90b724ce5
SHA512b179b6beb714bbf56102ff85a26d7534a0bb44ff2e88a36c1dfe00bfd2e73037b927ae314898744097fdf9752683a77b31b8c83cdd11709dbda911956a0e9e88
-
Filesize
577KB
MD5b2f78169bbe3dad3f75ecaadcf7382a0
SHA148e93be9775a737e43d8e5787c738e3661bf86de
SHA2561562bb40f3715ea20333bb06dbf1cdedea778cd40afee161d4e3bb9dd390c653
SHA512ba981b1ba8fdffc5b61b3d42e58b01c0a433b2ef5ea1e0b8fdd7726e46b777ff0ecddc0eb6bf24ed834fe75f2dbc9c10b48d6e6ef5b8d084cafb8a0697c0dacb
-
Filesize
398KB
MD5d5a2b68ac9a2ce14148975da36c08ac3
SHA12589780a8b0f899679da80dcd90124da730d42cb
SHA2563bd4e267f06090b00ee731f57411a9453fb261c153a13a581773d57cbf621e21
SHA512ca2d0928810e47b64d3e9cd29ea4712fad4167644524271d7210bad90bb183449fc82bb9092a8722f65cf1bb33e4a582a598132437b1065e4d49af038d6a9dc4
-
Filesize
1.0MB
MD5556093cf3bafc472bc4106292438619e
SHA1c0269c9a64585343a14d2859a00d2013a2b10e92
SHA256c1718e3b0a473dc07f6040d933bcfb07ca070659abc3d2b3d70dc61c1d4a0c41
SHA5122cb8d8de5eda314e7dbc897726d70319776b98c9ced4f19dcd33bb31959bead73a145c102343e217847f79ca63a4dcd72433ab3c4a8c1ccfe14a466e46008e45
-
Filesize
309KB
MD50e102c3093de5c3e8a37290aa9804b35
SHA119aeef82682a5ffa04177c45895a20ae02be72db
SHA2569e791fcc5c9d026d50ab70727909a28ed70576e39457751907b3d996a472ec5b
SHA512f81e49f880fa0f08a1fb39b7e29e1bcf87e64c5e49d6f8f2f0a0fd762ac2b658548e3728d4cf1d1bf3bb4b501a4d195998a2e377aa04332cd8d8da4a058c9455
-
Filesize
201KB
MD5999c203862bfa4c707bcc2986b6ca932
SHA13bb85cc44a0f36e38bba6cace3c3a40904dd04fa
SHA2565ce2cf643b930e687d05e00a95d636a87eeb819c36739a12557b837734cca068
SHA512d436528f7f8bb274f90f51e7a66d866bd6a4526ea3eaa21a87164d2adc436fef2c591ddf79a35c3369dd57793acb459d054518b7d339d15203a283290e806271
-
Filesize
481KB
MD5f37cf4cbd45a3aeee2384937b1675cc0
SHA18960962edf0ac79050bd2827dcadb37178915c9b
SHA25630f31236d521dbf12715927ac9cb088dd9cbe68a020d97f49281ee59fe41fe99
SHA512c89a61da56b0744e8c1b83774577a522b3e4b603881a3a2da805e62cd3a4e614d3739876889c8867fd404ba55fda107976fce3d1ac496b8d5550f76c980f6a9b
-
Filesize
270KB
MD53f23ea9ddeee7fe87c2c6878dc65ca8f
SHA16e34068cf731c65cd2effcfe1001892c7ce77f82
SHA25607d5a728190e6ecf1baf33072a4145256d0f88c78e7e1dc8d33d15f648cc170e
SHA512b2fe49103f194afe86a18784044c6e6e1e72886b16db314456dc6c5c83c21b0413c45822bc86f62db6700229c36429776b0997055571875d7e748486b8aac23f
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797