Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-12-2024 17:32
General
-
Target
SpyroidRatv8.5OriginalCracked.exe
-
Size
55.7MB
-
MD5
f2a9d485cc841bbd44543973e3739c05
-
SHA1
53235a653bfc5822693e9adfdea01e1164909df9
-
SHA256
37fae2ac78281be79821e625ba969bcd0c11336c56e68b71b5fbb284e9f8fd60
-
SHA512
4de26d0f38868934182e0ef1fc3270990a66eba2c6af340490f55e4bf7f04696f91f93f62457191031d468e34c0ec5f0ba4995df63275dbf77254b1a7d2be56d
-
SSDEEP
786432:JrXC9Vqv1tRgvtgkG8iAl0dYyBGpjKElxsdo/AG9Lqxlwy+WpL15Q7HxJ1KP3u5C:JjC9VvtdG8iV6jKmqdo/ry+gXwIuqxZ
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 1 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpyroidRatv8.5OriginalCracked.exe"C:\Users\Admin\AppData\Local\Temp\SpyroidRatv8.5OriginalCracked.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rl payload.exe"C:\Users\Admin\AppData\Local\Temp\rl payload.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Users\Admin\AppData\Local\Temp\test rdp.exe"C:\Users\Admin\AppData\Local\Temp\test rdp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net user ThanksEgalsa ThanksEgalsa /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" user ThanksEgalsa ThanksEgalsa /add4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ThanksEgalsa ThanksEgalsa /add5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup administrators ThanksEgalsa /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators ThanksEgalsa /add4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators ThanksEgalsa /add5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup "Remote Desktop Users" ThanksEgalsa /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Remote Desktop Users ThanksEgalsa /add4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Remote Desktop Users ThanksEgalsa /add5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Spyroid Rat V8.5 Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Spyroid Rat V8.5 Cracked.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528854213fdaa59751b2b4cfe772289cc
SHA1fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA2567c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA5121e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4
-
Filesize
11KB
MD58a369fcf8ac06095f9b3bdaed68a680b
SHA1702fa834e2da70b2fac577c9427a4c201b6c15df
SHA25668e2523e551cebc5afcf89e4cbef3aff83cd1287acb385a7253013e83c10a8a9
SHA512e4217503691176425e2bdb086ae937faf1ac67e2cca416d34fb039bb60d6dca24374d38f05371ff782563b6b636fc288e9cdeefb01aa436a5729fcc0df4e3895
-
Filesize
11KB
MD59b8ac70936072dd89456bd6cc63b7897
SHA148b223f298bd622f82b1b2e573dd05e641bce8d1
SHA25656f6419f6608a20920b233cabf0aa5a8849b2077cbd9fc6ac025912fdd1ab719
SHA5124584e47391408806b9fc3c8d82a79ed75d01a8a8235f91b28d98b5942f3dfd0ca6a5449ffdec9ac91f5192d526480624350b8efba8da6205c86519e6357d856b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
320KB
MD5dfa05cfd683034da7b16c32b76a6619c
SHA1efe6fa32ba1c53155ed6acc32de614a3ca8cadff
SHA2560c67544fc30499491749cc9cda184c4af9e61bf16dd697b402ad936df9e182f3
SHA512cb966cf5dba9b32950b0f96e62dedcaeb1de22ee41a010f247f4e3ac2be602075bcd76d71a431164cee649ba4e91319a4dad41f553260ecffc7c02905d5889f9
-
Filesize
8KB
MD56019493627e029531ac13da62d870719
SHA146d7c20fd308c376e40060ee455743f7b913f7af
SHA2560b85f47949effe436c598cddf1ddabf1b952eac63009d25fdee34f864bc10569
SHA512a125613e5718dea3499e5a1b4b13dc48eef6b5bbc33462ae2a6cda2efd129992fec09ed799be738048c226e4f1743e4cc298236c2c9d2acf41c8301830a328da
-
Filesize
154B
MD5723c2513c722afac8e8dc29b44f1eaff
SHA1d00634e5322eb18f5f7c70504d9ab8d45b7374c8
SHA25656663054845ad5250cb22b2f4e50a1cc9622e9549ec64d7ecdd3d952f446f3d3
SHA512f750c0269f2102dbd9715de04aa5c5ff012e7aaddeea2f903a6c6b1fb94687c228c763681daa9fe2c8270a1afa50388492b5a440e0a4cf5d6166bcedca652563
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
495KB
MD53cf117fd8030dc22676aa023c179fc28
SHA1f225b451c66a3b49d1439336edb087baa1faa077
SHA256d230baa5e83a93d4577340a5d130c30df3f8bc2827ed26e05da725c997351b3f
SHA5123c2549b67d6a32e480a2665550b36e25b25641dccfcc4a9b17f9c5f75349aea932e84ca635525e1dfd02dbe1e62f4bb68d88940e107ec1042b2a3173a0ca7a6b
-
Filesize
913KB
MD54863e0bc372ff918f5ad6271962d5b22
SHA1385ae691a92e96c62c680f5e5a18175c3e55c2e3
SHA2569d69fd7c250e09c2e85282f383d316656124b0d47966819211310ba618acc9d3
SHA512216edc3745d6793d16b572e63ff1a0eb66c6b6bd707a594e88f5c2e4b79f204c432a07a5c28204fda1ed539d8db055de09a0b6bcf69f056542c9d783918166a1
-
Filesize
513KB
MD58b042d5e34d583cf6dd7c902ef0ddc00
SHA1ce203fd7d916133eb2afc7b6859927bd1314b267
SHA256212000bb976a18bfcb524389028235aaec25a51a08297127d525d3f3e9994b7f
SHA512fefaae1cd3895aaed724cdeab2512f3f9ba3ee5b36e3ca724555b01270fc2dadc222f7602ac0734afaec716b6a548b1acd46a537647c3f85ad04a69d7a670ef1
-
Filesize
1.2MB
MD5f2bb649fa8e101ae408bc0849e12457d
SHA18bf7c540de45f76c09978d0aedae66cf6b113884
SHA2567c3e9933172e14650422fda6f19b64c0ca7414e8d4d10743df93000b54db1868
SHA512ca81f52823cd04141ad9b69078f3c2447c0d8ee91964d62c5a45e80aeca177eff4c62e94d07f8fe355ce93b38c9309dc4f6d7935aaaec331aac8826208b0f662
-
Filesize
380KB
MD5f192d48442bb0a0d03e79524b72a6ef1
SHA1b6d4e8ab6b04806f54a6552da7ba0638edea1a3f
SHA25640b1526ea728d1df571b26381a24fd420b69b093d93657cb57bac0f9dafca7d3
SHA512dfa94544a051e3304b1f0364a556bd19b53944500b5910ca935961281dd02b139ea9366af6027412a03f20c96a865cd10aac9a021b3f92cd16b10853bfa0b7c7
-
Filesize
240KB
MD5e5d51df1735402a7c47d9cca34d0c585
SHA12ddefbef243c5524550f6d15b0071a0d97b3c985
SHA2568312472e589e6dfc8fa8f3eff3ee4548701f39c4f30116ea2ebdefa6bf4f4321
SHA512d9eee96a990d7a4f8be0611ce95a2bb05eb990d156d77803145a9a08473d2c736dc7f0bf28a9664f454234f29edb1ebf20d1d887da02b451fd18876638bac57c
-
Filesize
320KB
MD574db6ccff903fa08236fc12a9ea8f169
SHA1287611e7df67c20c1df71788d12dbda6a77420b9
SHA256c6f165eda35e46f9ab68e1807a2f72105ec146ac1cf08147377080a94ca9a704
SHA5129e0aacb426e7a74410eccd16b63d07f538c68ec7903a2823a855d390617ad217e178a90ede83f2c59e022d40fcea9f5659c8667d2b5b7618253bf89eccbccfb8
-
Filesize
4KB
MD5e364be01903ae8a2ab86d65fa70b60d9
SHA1b7d6d043917c3783469275abccca17b4ff94f49b
SHA256a487bf0ab627fc24c3f22436b22fcc029e87dee0195484dce611f41401d79149
SHA512f8fcd4e28653567228508379fe7fa778d331e9552912142f9d8b839d80e4c0b8985845b6fcff5b2bc77c2439a7bfd40eefdcda9ed339ae829a684ed058e96253
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
55.8MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
584KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
66.1MB
-
Filesize
3.3MB
