Analysis
-
max time kernel
139s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 06:15
Behavioral task
behavioral1
Sample
FindWalletv3.2-Crack.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
FindWalletv3.2-Crack.exe
Resource
win10v2004-20241007-en
General
-
Target
FindWalletv3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b93-7.dat family_stormkitty behavioral2/memory/892-28-0x0000000000B50000-0x0000000000BA6000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation FindWalletv3.2-Crack.exe -
Executes dropped EXE 2 IoCs
pid Process 892 Client.exe 2476 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 freegeoip.app 9 freegeoip.app 42 api.ipify.org 43 api.ipify.org 44 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FindWalletv3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe 892 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 892 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2596 wrote to memory of 892 2596 FindWalletv3.2-Crack.exe 85 PID 2596 wrote to memory of 892 2596 FindWalletv3.2-Crack.exe 85 PID 2596 wrote to memory of 892 2596 FindWalletv3.2-Crack.exe 85 PID 2596 wrote to memory of 2476 2596 FindWalletv3.2-Crack.exe 86 PID 2596 wrote to memory of 2476 2596 FindWalletv3.2-Crack.exe 86 PID 2596 wrote to memory of 2476 2596 FindWalletv3.2-Crack.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FindWalletv3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\FindWalletv3.2-Crack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:892
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
666KB
MD50b9a45c285cbba136975ce1715861cb7
SHA15e125d7c6d572c49e9bd5d03b67b4713ff9b5a08
SHA2566b535be93f58df2fd6eb283d2f2032f41cd5c134d94ac0106580b6a87fdf8cd9
SHA512e459d50f345553d279ab0c07d09df78e1548fed3b0e997623207651192b6e26f62162d49d68ccb1c8d6dfade6ae233e256ae80f35ac97d2f9e59fa4fcf73d77c
-
Filesize
633KB
MD5f142fc56a95146b97fcefde3d00df35e
SHA1ef1799de66acae8b28ddf64decd9a29e348fe628
SHA256ab183483d5a03277831b12021ff3512880291a0484579d1eb221f5e1a4323b64
SHA512697010cbd48edc048cef2b0a9dde196e1d5b916b5fec6a3261ea2031a53a03beb76939ebda5a33df4a8e6118cb75dfb255b3b77bef0ab179084ef823cdf919bf
-
Filesize
1.2MB
MD5f61128b3160e47e4390bd9ba14b37e17
SHA1f8d9e98e4598ba655dd4fcb2b451d5a3ad3706b2
SHA2568d3c02613d580fffd44429df94889945569a57aca2fbcdeeee43edff3a057db5
SHA512e3a0b144f6af1c0d6901e79adcb56dc46e8107382a47531098690c9a5777c11db96cd3b8433f9c34cbb4637d6fc4e7df1e15e342f7085d8e40692d990f36f703
-
Filesize
1.9MB
MD5b3a76e717bcd65653de8f52d6a4f21c7
SHA19dc5b9195fccc98b489ee67b5a7b3b79902c7ba4
SHA2568f9fd8e63d58c3dfb425921a4fb960a78a13fcbb64bfacbf7f3dc8a3ecaaf80e
SHA5125ffb226c06b2375d32381b33e40a37143d5c012c8cf5f3673a7b55cb46dbe049ce7709de4a442db3d4c38227ee504ea1e6561affb42df3b7a32b96e2c8d9907f
-
Filesize
1.0MB
MD5ea09ded02d43017f3cc995e8c065d176
SHA1e888f0af3f2f17be7e8728b876a5becd86bc7e17
SHA256490c65e7fbf0a51640b21310a25d96195b1821d6f79ad395cb169617d94a97a7
SHA512afaa16cb83e306e3a0e2d23f3568bb1d344312b91304bfd3987791cfb7d1738a8d2d84482c8110fd32f9da61bc5df2ab95509c09b07ad97eef6a7c1942b74480
-
Filesize
1.2MB
MD56a858892a9248ce9505016188b832c89
SHA1cb7b52b7e7e5c761eaeae3d3a58395e75a3633f5
SHA256bd10f7fe7649e22d986e279d07fc3c4860d02b2f80b241bd691f1cb02b2c1a6c
SHA512acdf8b52bd44ea9b8374c43ccee85de148406a43cc953e93f26394f1e66d25feb83af80a6ff3420a734bcc3de5dace14e8dc25455a9d9a864c135b8feaf73aef
-
Filesize
266KB
MD579e68caf1f7e84dff4359f1cc4bfedca
SHA185b775713c004813b47558bb2814cb736541b995
SHA256aa72c364fd3bc7d1872d09e6bf653b1083f9006c49c1a57563f2bdc970a04e61
SHA512920ea27db7c938ffb358e2d8471facd78e625210cca1c5418735c400ab2b997d61bc05d1d0632584effcab3f4ab33d63361b960c4eb2468d1699b7ad8362fc5b
-
Filesize
564KB
MD5f0378b89e99000f4ae042e5e512860cc
SHA1f4384c44207f623b4477a44c75ab1461f3ed4978
SHA256c1008374168363a62179c713634b87b9d626950f437600b49f56aa54c7ff108e
SHA51286e16a94b966e6b54dd4130a3f0840405f69b0833932d423ab63b5846cf3610fd8d3c206191bf979d571729eb8d5ea6eac4a266df26487892bb0414d8da66693
-
Filesize
308KB
MD5b0b41411da1aa96b9ae0506307e98466
SHA149d3f24b7486ad7ac123d47fdc6115249c6575dc
SHA25654e9d0c46b3a3f226ace5363aca624fd10c334bbf5e46117a07d014c1008298c
SHA5129bdf503b68b6b0c427b2d3ac0367df197660ecc5063b5b54fedde4e555bd3d4fe0c0833fe2c7529fae9006481d951d654ffcc950e5169c416a81dd3eb380567a
-
Filesize
330KB
MD59d1c025fb014760ec38d4922c69ea7f5
SHA16ddd900ddcea8660e601424cfe74406499e7b2aa
SHA2560ac83485205ab5c1678280eb09e03cdf3773179b453ca5a07cbfa0a24d1f30ef
SHA512f48ae31a825f5dd0055d0288d7a676f23717af07be14562be733d774870b928894599b89e7c47c988b9f88606bc75abbd83617876be7efc6faac1f88d7a70b51
-
Filesize
4KB
MD502bc546cd669077d1a5c5f1c1ae5b265
SHA12eb5640219ebab51e355c3b862d9dce60361db00
SHA256aff670b25fe8934c6630d1e03ed6470d5cfcb38165972739aa7a83fc7dc2c776
SHA51241eaa4e3d833c0a3ac1476ed3334514a07f5a606948bb47964cf1107646817b04a9a797e81e67a56afea17e19018118525686963fb82ed9081faee34bc1c640d
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797