Analysis
-
max time kernel
146s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 06:15
Behavioral task
behavioral1
Sample
FindWalletv3.2-Crack.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
FindWalletv3.2-Crack.exe
Resource
win10v2004-20241007-en
General
-
Target
FindWalletv3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000120fd-5.dat family_stormkitty behavioral1/memory/2800-22-0x0000000000BB0000-0x0000000000C06000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 2800 Client.exe 2836 Find Wallet v3.2-Crack.exe -
Loads dropped DLL 3 IoCs
pid Process 1464 FindWalletv3.2-Crack.exe 1464 FindWalletv3.2-Crack.exe 1464 FindWalletv3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Downloads\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Pictures\desktop.ini Client.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 api.ipify.org 23 api.ipify.org 4 freegeoip.app 9 freegeoip.app 18 api.ipify.org 19 api.ipify.org 20 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FindWalletv3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2800 Client.exe 2800 Client.exe 2800 Client.exe 2800 Client.exe 2800 Client.exe 2800 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2800 Client.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2800 1464 FindWalletv3.2-Crack.exe 30 PID 1464 wrote to memory of 2800 1464 FindWalletv3.2-Crack.exe 30 PID 1464 wrote to memory of 2800 1464 FindWalletv3.2-Crack.exe 30 PID 1464 wrote to memory of 2800 1464 FindWalletv3.2-Crack.exe 30 PID 1464 wrote to memory of 2836 1464 FindWalletv3.2-Crack.exe 31 PID 1464 wrote to memory of 2836 1464 FindWalletv3.2-Crack.exe 31 PID 1464 wrote to memory of 2836 1464 FindWalletv3.2-Crack.exe 31 PID 1464 wrote to memory of 2836 1464 FindWalletv3.2-Crack.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FindWalletv3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\FindWalletv3.2-Crack.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2800
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
11KB
MD528e08e3c04a5cc889ee823af75a22762
SHA12ad54ea1f30f92a4a062439da9abb783c6927d11
SHA2567b0f9aca5c9e4d84f3d27a05866970a41c8216d83702b051722b6aa5a46110e3
SHA5120faf44c071affadb130b800ea9ededf3ae6caf383ca7ddce67b8718c969dcbccb5944356af6de9a5498ee89d532c1acd2b94e916b44dce149f35d56cfcfb9a32
-
Filesize
579KB
MD5a5495f008b9c15af39aa9c93aaf8afd4
SHA153f3c9baea010c0cdc70b0fe082c4708ac1b331e
SHA256870f2636450de8252c4492324c2aae721d5fcec8fd6cd53d00569d746b3f2eb2
SHA5125faeb81adb1d0124447e15a4964a7313f118f504dc2ceb3a5cf6c503152fdfd4278f2982006a2f409d4d6d2ccd1a4b9b85665b2e8125fe407ce115f61c82e8e3
-
Filesize
769KB
MD57ec8f312ac40d9a8b623e321c5cf014c
SHA1add161914232797eb10948cf97251da38c525f34
SHA2565e00060c0e77b11d4c58a348352d8cf3156f4cd1fbeb0b3a35952c8e9c464484
SHA51285e395e48db961b4ba7f8d07b4f49b86873dc0bd5b0eb6c2a8139fabc3d1a45f372266cdd48fdd292da5f7d4ac1d86949e1fcb4b1fb2c51dd5f4807187086a28
-
Filesize
1007KB
MD595928e7f65f7b84435cb6be1cff01b1a
SHA127112c7e0ff7684550c54a9d832f1dd8452767ba
SHA25679e9a11b3552c12ec990c3d6a84d23113c780cf8fad33ebcaadd39063016a920
SHA5125e8866d9984ed97a8ae9fa39e4623b265544cd30175e1cc86a10c947bc481d3fde4faac86b8ba0f863a2047da35598abc42911b0493fdde8f57ba6c9afffe864
-
Filesize
948KB
MD558cb0938b7f93e4a5a901fe10641c6f2
SHA1f534bb659b508513f6d6c0d8adc9e83687c7f276
SHA2566843bcfb3a2b9d98f6a3b8b688ea8fa499ab5cb828735c92a464b43de360f920
SHA512c7143efae5bba05b3927a96b32a3fc1ac457411b378546aca31af8659151eb332185b255d60f2cefb43f8551ea78d7174e617e158a69e0320869b9e01992265f
-
Filesize
627KB
MD5439af873168dece80d82b3320aeab18e
SHA1ab93771d7677d99007cf70dfca7c8d3c68bfee9e
SHA256aabb280e62ded23f3eee537cbb1d868951d9a35076cb502c419af131da10bb79
SHA51214669f2d3c74a71052a41be9389d0a4c00fbb1dacb99c0247adb1cec40aea78b111c37f2789b2dcc9595f4aa9817ea12b031dbab439adb8b07db0d85b2bc57b1
-
Filesize
782KB
MD5364baadf0ad268eef0931b623457bd35
SHA19ab85e81ce84049d308ab99b93fe3c4965f56b57
SHA256b506a190d36310575626efc850f5242adb9659f69fea9f5ebbf973e0eef32c11
SHA512717d0aa0428d263e4c71d7a2419213627aff554aa04d7ce0c4a4a06fb380e9c6b6c33da66214c8cc94710c980d1c5ebffdb995f6321b339b8b0db09f989edb6a
-
Filesize
241KB
MD59a2072a669d73d20f8b26451b73ee4ea
SHA1c30b8824d8a3dbf03814bf0a5d6047c610f18aad
SHA256cb3bfa8782faa7e14bcc61b649adf24776f4d4cd0e1e83c1bb433c3f67cbd6e0
SHA51280452a3c0ca15a14c8760b9682de64642caddce3f7263d469f657ad44ba128dd61775a0d8fc451dede1dc6312b33dfde6561088e4dd96124928c02c50cb1d341
-
Filesize
253KB
MD57a64bed3290445638a098a7757f6e035
SHA1b2e26a344271f268b524bb22d47f7427b01b5ad0
SHA256134c421307e0084275cd57a5187ab54a4c463fb21fac1809a4b1bd3fcc60fa4e
SHA512387de31f52bf726fa9c4c1aff192fd9d400f6a134170f3b599970001ec547f6438e70f252205d16f631b24f41c43cf729714d0ff981d8006950901871028b49f
-
Filesize
458KB
MD5e59ea627f87b16d8fa1fee641629aee1
SHA1bb4a6c3b4a53a55f182ad413901876c9e38cd251
SHA2562b89c6f9c0254f9d0048e9d3c43fa9425f5d21c1a480c1092eda9d9af591d143
SHA5123d720d58b1d36a6524af403ffab2a35d0d22f57dd8b52f5eb1641b0626fddc7957bb7e9626ffee9c04751edfda6ecba6a023dee10fdfbba4f5ecdfd1c0504809
-
Filesize
265KB
MD5f564614369963a6288e46496de6fc3ce
SHA199c2727c5f37d203f5a7a9113d0589fdbae9fb91
SHA25667fe96068fce7e81adcfe9d6a07815065f3a7dc8c9743bc74d4380ea8517b5e7
SHA51240c7fe207e036c710253b8a7fbdf5103c80fb523690109197d940d2feec58a9f1ad434c97c056d1387502dc2d75449ccfd2eb39b075cca7dd777b4a5b29802a1
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797