Analysis
-
max time kernel
437s -
max time network
1157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 06:04
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Find Wallet v3.2-Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Find Wallet v3.2-Crack.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
Find Wallet v3.2-Crack.exe
Resource
win11-20241007-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral3/files/0x000b000000023b8f-7.dat family_stormkitty behavioral3/memory/2888-27-0x00000000001C0000-0x0000000000216000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Find Wallet v3.2-Crack.exe -
Executes dropped EXE 2 IoCs
pid Process 2888 Client.exe 3780 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\YQRLKYON\FileGrabber\Pictures\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\YQRLKYON\FileGrabber\Desktop\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\YQRLKYON\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\YQRLKYON\FileGrabber\Downloads\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 freegeoip.app 9 freegeoip.app 43 api.ipify.org 44 api.ipify.org 45 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe 2888 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2888 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2888 2964 Find Wallet v3.2-Crack.exe 86 PID 2964 wrote to memory of 2888 2964 Find Wallet v3.2-Crack.exe 86 PID 2964 wrote to memory of 2888 2964 Find Wallet v3.2-Crack.exe 86 PID 2964 wrote to memory of 3780 2964 Find Wallet v3.2-Crack.exe 87 PID 2964 wrote to memory of 3780 2964 Find Wallet v3.2-Crack.exe 87 PID 2964 wrote to memory of 3780 2964 Find Wallet v3.2-Crack.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2888
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3780
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
459KB
MD509f79ca4b3356d9c5c4589bde59ca492
SHA16502ecf4baac9259cd2cca6cb46289f0d8bb3f16
SHA2566445e7509d43af45301f7c11821c4c4e44399111e51e532fb2ed690de95df4ce
SHA5124f0ba86d6ce417700b1cd1e886da6d197eca9755a152e1a8b0d764dde020f678c7efecef722d00c1b2ae6f5a563fc6392aa328d981631467dd1148a46ed27dac
-
Filesize
402KB
MD59cd8d067f4ec9d9cbc7e5cc2bd328d43
SHA182821227a09bc5036f75d91ad1561e4017df08c8
SHA25614963dc1d299815a79102aa93243563d10be4e087ed36f98da4358f9a566d808
SHA512e19da07c18102feeb02c8e2dc0e20e7f9a96382ede42df77ec4c21f3911cf54dfe8d4ac9ac7fb239cd7f881f8a30bb6e05caef8c90a6924c6f5c366dbfc57462
-
Filesize
215KB
MD569f6fe07aeba878b482427dc56aab30c
SHA15708bc0508c29959859ced470da69165564db77b
SHA256fef68a995fae96041946db66b81abddc89c8c556d9d000c9cd9e28dd21697467
SHA512a52d33a991a94747ab8e93835a12c38cc0d9e16906be75e570464ca5fc8b38a6b58a18f38e21f193fab91024954b5bcd55261806d620720d1d7188053a4bf48f
-
Filesize
431KB
MD53a317429b1ffb1e819057701e449da20
SHA1f4f0b6fa7d2802b34dcd8eb9775ccf63b602012a
SHA256bdda0ce52abce91e04416072c03bca8d39bb95af8f5f2d09091e9e51ffb47c13
SHA512226cebf11778ab97db31bbeeb68abad6af00a22cc990721a05887d1d98fc70db27d526089a1c6e11d932aecdc01c80439d24a0c1a9b482cce4876cb0ac9079db
-
Filesize
350KB
MD503f7ba2aad147ee422aa186220d167a5
SHA1ff2b305dbf20e2d49ac5d3ee60fcd50e01d15735
SHA256e4c136097a6cfe77191bcccfbfb068449b50ffb805f91a08e53338331d777fa1
SHA512984051ec31a2d962b77b29bcd51c336a0d0a1e6638f7efd929b3e8812ae43f486974a449de8dd73f75d12fb6d62209af7ac1565717ec63ffccaa4ee0c873199d
-
Filesize
518KB
MD552d4dc89e17557abbd0c6d2c030c473f
SHA141ccf7b2254f87f4791ba5dda4f6e78fb21331c8
SHA25668e97cbe94a90967f2c22dd150879ab93075967e34083f81fb1e36435ffd7773
SHA51268e3cbc7e53e3b01f5cb101a2c60750a62e62a746b8019114a91d5d484237430876481ab6738e863cb22f908e88d490dc3708b0b7522f676e06aa050ef341c79
-
Filesize
322KB
MD589750cc23b8dec967f3848e0557b09b9
SHA1d1d80d092da0abd82e236ec78e929b1328061b1a
SHA2565452e127a8fe401649b49bf375fe8339945e54371cd6ba7a3794187f67eb866e
SHA512148739fb97e65c8568d3a94a51d424cf4711c1872c4f58b33ccc51d6653f548fcb6dd8d77bf31ea1ddf48aefa1e6b4cca5154dd55f0cd817cda5eb9803abbb4b
-
Filesize
616KB
MD5ba1c19e7a9ebad921b69e702a688c236
SHA1d7c131829c45d2122fdf8333565e2e3ef32c4371
SHA256cffc2f49e01b7fa3feeb3e7d166595f18be236fcd9041ffb3764bed3a635943d
SHA512937b33fbcd89a21133d9ed024fc64a7afdb00c5db7422f5f78def3d95a1ecd4e9e6052e8201f71689c1777bab03bf98edfc088cdd8f604ea8eb62d6af26cb265
-
Filesize
380KB
MD5ef2b732cc79c44b30adb28da2a7f8a38
SHA19a576dce6bb2fd7c6d6acac3b6c979b70ec78c08
SHA256d480b47fe9ff163df9da06df3390bcf143e8959062cfcb24e285126c529500db
SHA512bfcd23cdaa5356b2ff4e96f041cef43801b9b80a4243acb0d540ff063bc6b28cb0733ba0c014ec1ffddc9fad836d542cc7608ee9e57d6c0e6a8a76a6bdd4ec3f
-
Filesize
760KB
MD592b7297898ea6bac83c2332c54fc6dd6
SHA15e3d6e116e5f33d2f2f66968ecefdaffbe79aa2d
SHA25695a7796da5da5151c27003ff203fd3c19fff7392fec9af54ae309433be70308c
SHA512ec9ce55302485247cb473a7d6de265928d77a965567104524adb124b3dceb06088f10c6825a344ea31fe1f23b602ebf6df4ce7c55233f6510647cbfe1f2f36c1
-
Filesize
1.2MB
MD5c728a026442cc33f4ac4c0c6e2a5dd44
SHA1d96809e69f300b1dde0c9dce24d2c787189255a9
SHA2566eebf9780ed2ea1fc8ab8fb202f8ab7641bf78e87f12a8690aa3b4816960a091
SHA512ea9090e06aa6f8d672f79f7b773b2f0df78fd16bb388d9917c82a16c3b182ac524ff021710532ba2257d9816217631d844afe95823cd59c776d66d85e8a7bc63
-
Filesize
504KB
MD53d1762c2b211da27e69d9097d86ba50f
SHA105f3bacf32a12f8c9e5b2fb4ca97767dd72ebd7a
SHA256c151c54f327330f17e13c1253d50d2ed2cae0d67035cdb6a524b5431b4ee1da4
SHA5125bd253f8102386299269986e40b340a145440d5b23a6d556dbb684e14a323f52713dcf08ca14801937d45c05b093054f2b7a861a021f9f104d129932980a4a07
-
Filesize
411KB
MD501011612f20141b6e0db08e9ff42842a
SHA1353d5c1ad017361265b769713873a69fb037a025
SHA256ddca446298c97e2d6cdc13ec9edd718ff22b28fb0b12ba514bb8c111b9afeeaa
SHA512c8b75f62afefab2e2105bbf38f1eafbb34859d217887a839063b7ea49a3d76df889b94eaa2e36015eefc98801e62230d4e6641f326cb7a07257cf82d338a2ce1
-
Filesize
385KB
MD523d4bff035d83ff968de52496a8e76b0
SHA1891d4b9347ee8b7cdb18e60aec6791c2cf898b58
SHA2566fb2b715f2ff98fb7a393314c532fed35e2ae5de412e03c4491b57ea9b0fbd00
SHA512110f4cec7e43ad567b897afe14339d7fc3b0fb6369eeffc657af0befc435eeb2178a979d98c146474a578fc1f99bf18d55cb18da25586d33a23ba06c1e6c8eb1
-
Filesize
4KB
MD5a9da1a7c0dc689f363d13e2ae332efa0
SHA1853e7e037d71ad715c1441d6fc232fefee29698b
SHA2561aba49c017f831b5f84ebe384486038d8d28b8aa8dae13d730e868f9cf698cfc
SHA51203782e75db764a7b6436848442a587f4dab4009f43e65db5b9e37d2fdd6fe79dca757b4c307d3106573b8c3cca1ed5b992b74dfd92f3d9af3898a5f5a105d0fe
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797