Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 06:06
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Find Wallet v3.2-Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Find Wallet v3.2-Crack.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b6f-7.dat family_stormkitty behavioral2/memory/3376-27-0x0000000000160000-0x00000000001B6000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Find Wallet v3.2-Crack.exe -
Executes dropped EXE 2 IoCs
pid Process 3376 Client.exe 4644 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\SPDEBJWH\FileGrabber\Downloads\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\SPDEBJWH\FileGrabber\Pictures\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\SPDEBJWH\FileGrabber\Desktop\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\SPDEBJWH\FileGrabber\Documents\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 api.ipify.org 40 api.ipify.org 41 ip-api.com 6 freegeoip.app 7 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe 3376 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3376 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2732 wrote to memory of 3376 2732 Find Wallet v3.2-Crack.exe 86 PID 2732 wrote to memory of 3376 2732 Find Wallet v3.2-Crack.exe 86 PID 2732 wrote to memory of 3376 2732 Find Wallet v3.2-Crack.exe 86 PID 2732 wrote to memory of 4644 2732 Find Wallet v3.2-Crack.exe 87 PID 2732 wrote to memory of 4644 2732 Find Wallet v3.2-Crack.exe 87 PID 2732 wrote to memory of 4644 2732 Find Wallet v3.2-Crack.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3376
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
305KB
MD5d3241ba20dac126226a22f7d22ee4908
SHA17c517b7a81ed8d600d48806b75d4a58dd4ab8df4
SHA256d6f8f9fead2382a96abe3f275b83cd6e334122d3707156eecfd11d3d1925c90b
SHA51255d49fa81aac28222e26ec08ee61c25cb1c417a4f1414c9f682a9330ae14d4540f62e8e5c287a69d37696900e374648fecc5880ec45b473942d3ebda83f04c26
-
Filesize
293KB
MD519608007517a043c55f903b8cebef30a
SHA1d92f891595783a892b68b7abb237120611df5fc1
SHA256afb593c4b7f3acbac687591e3caa4cc249dd995fb7438b19fc2888264164be66
SHA5127867b74059b2ffc224b53027b2fcc595251fdbf0bedb8154b199d4b655a9b64ff4b41deabd5f05db7098516c0f719901352d462abe3af286f41455aee5ff69c4
-
Filesize
399KB
MD5a38f16f061f705c9c8f65b2fb0615fc6
SHA186e40bd4de6a71d26cd1158d74cde27af91959bb
SHA25649233f85a87dafda888d2b11d0b69068ac89c8961090ece3353b8ed5e5e37cf8
SHA512c2267e53fcc06eb9747a4475f3be8b1c0c247f5851e383956483d5e2c52c777a719f83905ff2d42d4fa33c6b88179abd3cd9e0109790696371522987816a8646
-
Filesize
387KB
MD529c126aeb9fed4b418d284b349b9d1fd
SHA14e05cea00785ada4e872482fab8b9898333e8a11
SHA256015b487cf86618cc22d80339673cab8b0c6ef8f226085e01a2605c450e05af9a
SHA512c96175903b5558a673b4374680224de32e5561b81c66c6faee4b0eb109a276a1a781d351cf7aef54fe6a04031016a1b64a72708949a39595ebec61661cdad1d7
-
Filesize
292KB
MD535e984f63caac2406958dd9b89b3f34c
SHA177ec0a861b7fcc8975d4eea0d3f86398fb8ce7a8
SHA256498e3683a7daec2253fc7a6b18f4b7fb12a69733f593ee346030117e4dc01de3
SHA512153553014c047269c3b80c4c021524e95106de595158dbec5ee5e9c76f9fdc959a8d0a967a4d44ddd72bb258d5888b325f250ca059b9b35fd6e0a4e460e03f02
-
Filesize
150KB
MD5fffddf127e199303b3d127f276412fbb
SHA1c8a0d0b101b440e31c5dd23c4fe2937454ce8e0d
SHA256d8a6e4a2b3e0c73221c632e5a32e8db190014772a3cff03c9967fd81349d956d
SHA5121b19c0916cce5542ccbf8225c1146beee94bad1dfe16065ec1b739798e49366af695cc23fc51ead3f3c2f9be4ce19abef75fc404cdb4657399b6bc06ef6589aa
-
Filesize
560KB
MD544f0ae1216c45bc2266b6fb37f538ed3
SHA15620627745e05401e90e55bf108ddecb08c61cd1
SHA256e69344ccd19f6443c1152b235e911ae974f41daefd5121bf5ae7f1b9137e7021
SHA512ac7c4b07bf03870403c21b77ce1f865eb9a4598a99f8d8a632c5ff5e03ddab77c59923fac56875490c20fcb7e724535d8a618c90ec8c1e7e2412cf1cd202de7c
-
Filesize
339KB
MD5438b880d292af0ed53355a9d50b80fc7
SHA1b676f2e0d9336a86e44ed3ff9b8a38ae091ed330
SHA2568e60aa7d5a088a1348d6b126144b20e35233d5900eccfca8305825b1a2d2cdb0
SHA512859c372ac06333c14b3a52ec24ba629c11e6fb03cb7b5dafcaa454616bbd25b90a9d2676be7275996dfb1038479cdf6ba7300dcd2b7f432dd7ec981a23c4ac83
-
Filesize
691KB
MD55248b5cafaa6fe303c94a02e7e2e13c6
SHA14c2b2e6000894605ba124db2acca868265a49076
SHA256027b8757e864d3594511757d237dfb0e180c49e61b5d62f6616b758cf8c4f7ac
SHA5123a6f190789bd6bcadc48ebf931673b7b6dba3c19f4b190acfc2842466114a9fc980940a0be6cca06fdae7cecb616c28b4ab711b8e1b5e51e97850951aeb740bb
-
Filesize
1.0MB
MD5364089bf4fb01cb1dbad42ca96417a95
SHA1dd4778e76d9478c5dc59d51cbbf12429da61797b
SHA2564551e4883d4ee92782c3c3dda9e0a15a6d25b8fa8beff3211ba691e453476810
SHA5127bc03e746540f34ea46d8e5e4f867e4740e38154521b6e03fc686ee4a8691513fda0454696e3dfe1c3f3cbeb075c82ad1ece152cf951b36434078c6defd9f325
-
Filesize
681KB
MD59891a0369b68c23ed77b090db5bdea46
SHA1f132584ce1e6d89ba07c5a36d00e02ff54e50b9e
SHA256281f2e9b1c380488aced6daa2932621582d3a1c563ccc3fc5daf50aa5240aa6e
SHA512a2673a62faeb92d8e702be7c4d23598e97b28c90ee08b7a6313ff8362f54bd9495931039f6702e47c8aa33a935d5c3bc3cd446f715de0cdef676f135cab4cc68
-
Filesize
740KB
MD503f3e6d0cbc8388aba52cf7136d8bc51
SHA13f0c771ac551deb262d64cd50b0c795f1869b0fe
SHA256de766bce3cd2908b1ffb59c6927ad10246f72637c65574dbf2dbee83861fbe68
SHA512bb38d6d7c6f967f1c53341482755b80f87e214b987b60c4aa90a55f54d8f957a775859bd8274a16649090db7294d3695ea566c7f7a77b3870a263eda8ad85bf3
-
Filesize
4KB
MD59814d1c189bd38984ff5279e3fe28588
SHA15675dca58c1a3792a848a64aae340d989935a02e
SHA256037fb52a17a203f199d2e1aa6bd63f87c14c1b0af38e09d30206f8b112a95b19
SHA512f38715691e977d77785817c5d9301be37f87726b7b9162deb8628b4ec553d9e531c25cda94d9ad97f03fe0bec9f091f8c7a6c915373866056d0522e9dbebac34
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797