Overview

overview

10

Static

static

3

SpyroidRat...ed.exe

windows7-x64

10

SpyroidRat...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SpyroidRatv8.5OriginalCracked.exe

  • Size

    55.7MB

  • Sample

    241215-v4fz5s1mct

  • MD5

    f2a9d485cc841bbd44543973e3739c05

  • SHA1

    53235a653bfc5822693e9adfdea01e1164909df9

  • SHA256

    37fae2ac78281be79821e625ba969bcd0c11336c56e68b71b5fbb284e9f8fd60

  • SHA512

    4de26d0f38868934182e0ef1fc3270990a66eba2c6af340490f55e4bf7f04696f91f93f62457191031d468e34c0ec5f0ba4995df63275dbf77254b1a7d2be56d

  • SSDEEP

    786432:JrXC9Vqv1tRgvtgkG8iAl0dYyBGpjKElxsdo/AG9Lqxlwy+WpL15Q7HxJ1KP3u5C:JjC9VvtdG8iV6jKmqdo/ry+gXwIuqxZ

Score
10/10
stormkittycollectiondiscoverylateral_movementspywarestealer

Malware Config

Targets

    • Target

      SpyroidRatv8.5OriginalCracked.exe

    • Size

      55.7MB

    • MD5

      f2a9d485cc841bbd44543973e3739c05

    • SHA1

      53235a653bfc5822693e9adfdea01e1164909df9

    • SHA256

      37fae2ac78281be79821e625ba969bcd0c11336c56e68b71b5fbb284e9f8fd60

    • SHA512

      4de26d0f38868934182e0ef1fc3270990a66eba2c6af340490f55e4bf7f04696f91f93f62457191031d468e34c0ec5f0ba4995df63275dbf77254b1a7d2be56d

    • SSDEEP

      786432:JrXC9Vqv1tRgvtgkG8iAl0dYyBGpjKElxsdo/AG9Lqxlwy+WpL15Q7HxJ1KP3u5C:JjC9VvtdG8iV6jKmqdo/ry+gXwIuqxZ

    Score
    10/10
    stormkittycollectiondiscoverylateral_movementspywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Privilege Escalation

Account Manipulation

1
T1098

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks