Overview

overview

10

Static

static

1

Creative_B...n).lnk

windows7-x64

6

Creative_B...n).lnk

windows10-2004-x64

10

Creative_B...ob.ps1

windows7-x64

10

Creative_B...ob.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    09bba91a3346b026387e05f996f39b76e6c0e36596626640d436ee21c08acfe5.zip

  • Size

    14.5MB

  • Sample

    241214-cj3djasph1

  • MD5

    f26d9facbe0f111bef4d91120eaa8895

  • SHA1

    6ef0757ed591ce257f97209fba5e5a8daac2c9d4

  • SHA256

    09bba91a3346b026387e05f996f39b76e6c0e36596626640d436ee21c08acfe5

  • SHA512

    d0a2a5352198061ace016a8b256bbd55810d5c45f28de3bf69c251b7a47dd8bc79cdabfa9e55202e57bd907a22ec670e36b38e09117d217b979ff1e5f285a0c4

  • SSDEEP

    393216:iuihKQgl33Fb3p/cIDoisNrHhxEYsaN/HnbNf1WpcLAcGRrou:iTwQgl3l3pPJ4rHh1N/nhCcLm

Score
10/10
asyncratstormkittydefense_evasiondiscoveryexecutionpersistenceratstealer

Malware Config

Targets

    • Target

      Creative_Brift_Marketing/Creative Brift Marketing Sneaker Daily Deal (6 month plan).lnk

    • Size

      2KB

    • MD5

      d555393c916ab9e4e58f027550375e2b

    • SHA1

      a63e4defb613ee8e3543bdb43046d727710e65a0

    • SHA256

      4d6eb5362d88fbc0d72285c12538b7233529f2ced117aa07bb6d2cd22a6c3db1

    • SHA512

      ab6712f292f132631b92c183f694ee4637e64ac02ed71c72a03a8344ac6bb7c5ecac703676a23706259e6528fd0a95573bdb4de820bbf589c4fc4c9d898f0e4b

    Score
    10/10
    defense_evasionexecutionasyncratstormkittydiscoverypersistenceratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Creative_Brift_Marketing/Potential products want to increase sales/job.bin

    • Size

      30.6MB

    • MD5

      f01f7141f5dcb2161ee0701949f91e70

    • SHA1

      28d2427ee1cd5f4c2a17f020bfaea95daece07d6

    • SHA256

      68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d

    • SHA512

      6cd177e2d4b385365eb9f549d2f869f1a40483e1c8a4fe0655146c7ca28090cdf14ac9c2a8a1cb7c385f6f824fe2da422b1714cb2ca851a0d1a18cb3be2a31e1

    • SSDEEP

      49152:/0p9Wz0S8ygXipUpxf2H21a1RFvpB8ciXBXsdO6QKUP+Vzfcw3S6T3G4n/1kbC9z:5

    Score
    10/10
    asyncratstormkittydiscoveryexecutionpersistenceratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks