General
-
Target
Discord.AIO(1).rar
-
Size
5.5MB
-
Sample
241125-fgk81szjew
-
MD5
3d588221b2c9781893e7b1ab01dc3fca
-
SHA1
b5b04487b86a3cb53acff6bb28987567460203bf
-
SHA256
0e4eb858a365905513d5a052b94a350f257a968cbb2c33245e18df8f7e36d9e1
-
SHA512
a44d7cb00117c82dcbd797c5c3baabafda957174200cc0a914ff6bd80078816133be874dd12b6c11c6cb7312d1590f015b4231714b0cbd411b8e923ef97f18d1
-
SSDEEP
98304:ln8/RJ25ew2yquO6/6mC1POC/vKfu+QQLUqnsjJcTIRUKKnI6tw0/lO8jraVv2pe:lnGIj2juO6/671POeEuNQQGcJcSK520K
Static task
static1
Behavioral task
behavioral1
Sample
Discord.AIO(1).exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Discord.AIO(1).exe
-
Size
6.5MB
-
MD5
7adc6022bb09db5e263fb294aaab2566
-
SHA1
77746a413c35573521c14eba036a2da5da68526a
-
SHA256
54bb1a394197df666003cd83a607b364b373c32df999c51f3c14bb830fc776ee
-
SHA512
21922589a3dc6fd2ccf4545dceb15249ca8882d946d9a29a90248dec55ed41b719d9d835381e0115a10d58957dbbc7ac3a277c2e1e88f398c672bed8e249a11a
-
SSDEEP
98304:27w0WYwOYA4vWVU4fgcmnH3EPIL6yFs9u/FpboNe7mZD7JOu9mq2Jo2N/03FIgcG:ts4vkmXas+6cOGR2JFNmWZCZ
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
StormKitty payload
-
Stormkitty family
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: i|Q@wizSCql
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1