Analysis

  • max time kernel
    90s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 02:48

General

  • Target

    80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

  • Size

    320KB

  • MD5

    1b8dac31eb30bd909fadcd9738c832ca

  • SHA1

    3d5021b656dcb39863d39430a4eddb5d6eb0e177

  • SHA256

    80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660

  • SHA512

    25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a

  • SSDEEP

    6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Stormkitty family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 3 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
    "C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\OFGADUSE\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Desktop\ExportGet.png

    Filesize

    457KB

    MD5

    508e7c8f620edd2e6c597dfc4a03bc3c

    SHA1

    25573a93fc32421f9326b60683436012672d14de

    SHA256

    e551fe89a5d5ffa55df8c60e8e24ba2386285cb883954bdaf83e42412f605e2b

    SHA512

    d10a2c9e6d7c7a3d97d92a355a3eed030742b720b7560fd940940e7b5b3656f54d89eaf1540a2ada0534a4d6cc57ef46883a38c21cd4f96d755b495c4c06aa98

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Desktop\RegisterShow.txt

    Filesize

    652KB

    MD5

    dc9b6c573566cb264a84ecbeb551183c

    SHA1

    8d8fcd765452ff436d9130d606a0b96bc9d4ac7b

    SHA256

    dc0bf2aa691ae7c8f106331530eb63077372035b7aed6d4c8f5fd322e662c815

    SHA512

    9feac23bb974f739b9018dd70bba6931aea53aebd9970bd4b682a4896b2925b049e800584553d50a04e61c85cc6aa1e4f5faad42b19d2905140481b03d439caf

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Desktop\WaitRequest.pdf

    Filesize

    633KB

    MD5

    28821afabc507ddbb41f9fb7e1b3f811

    SHA1

    c632a6fd5e5505894a34f502f8da2a46fde4fa32

    SHA256

    74f9bfd4bd022156cc0657731724d591cb4cd43e09736fa487d3b538f08b34fc

    SHA512

    b284c9983c7856bf95b37cc7de5f2a428d61d6e90f79cb51d9252576322fdd1e35090d0dd36c7a575b52024b934c6919ccc7db1e9ecf4ab00bdab280a55a59e5

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Documents\FormatWait.rtf

    Filesize

    2.8MB

    MD5

    431a371cf38a738215dd7ce68a6582ea

    SHA1

    db1053fe961bcb7221ece78d926b16adefeda71b

    SHA256

    b65a47f6bb99ee0d8845b6c084ebd99b03f7735c65cab477ef0661bab5e3358a

    SHA512

    e68e5dd61d55349b65f37c52de0c5c83e1def485a3ff42c08fc3c6c9751c7d4ca0a934f83de3d3cc32d9a768df0ecbb68be44ae6dbaca0b454b8fa1c4cd16449

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Downloads\CompressBackup.png

    Filesize

    617KB

    MD5

    65f452beba2c26da64fb5725b94c8af0

    SHA1

    abe7b72d17820792b332260aebaebeb945c9a80b

    SHA256

    864e5ba0142ddb730308def3bdbcf6de62b2b359764eea8f6b264f842a5afd3d

    SHA512

    ac4a466b2529adf14ca28994c4845dac4957646dcbffe76d09f4af33242fc51ab19710e61493c3d3c31a64520d07db680581e7a60b7e15465553d0e636cdef9d

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Downloads\DenyEnter.jpeg

    Filesize

    633KB

    MD5

    b7654d1728fd8f7af39e894d61da3267

    SHA1

    a79deceb9f4d680450d40273b6ceefab15e41b4d

    SHA256

    7dad9aaac7f5325d111a207af43360abf1d9a8d6b9a5fa583a161c100ae140b8

    SHA512

    1f525b2a482d91fc4c75b8bf34f8cfd40c42ea7e5e597cd43f2140d542d71aad86bd2ef55a0d7e40fafc0b3257711aa38edfedbde3b76187f06c300e130ebaca

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Pictures\HideCompress.jpeg

    Filesize

    753KB

    MD5

    f1c006c82d82f0526d03ee6051475f25

    SHA1

    7fc711ffa1674f0cb3ba4baf4acd36d9abe020d5

    SHA256

    02ac5b07bb4de30228d6f2b1be44724671a78e6ff37cea2cf6a3118986294f18

    SHA512

    38c7bc778db3382603381c5cee16aa6547f3126447e8461436d4078fdd31c8853e8e516a5f25df9b65dcd78f99954a5f854e8cce1b8984929c1f63eec6b440c6

  • C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Pictures\RemoveConvert.jpg

    Filesize

    1.6MB

    MD5

    46328c1852bc76b44307ae7bc7d08479

    SHA1

    a572ed9e7e0428e98905b414da2266fbd6143224

    SHA256

    8b8d4e30e75682e35e898b94da633c64181e1c1483d5ab60acfc2ee346eaae7a

    SHA512

    9aba9be1db9640904c94cb0863e2d2e4db1a5947c8e04b09050d3f665193de1ba0fb5f62a1bd91b0d808ffad9ef6eefd7a1e017e988844e03274dc7c5e97b0d1

  • C:\Users\Admin\AppData\Local\OFGADUSE\Process.txt

    Filesize

    4KB

    MD5

    093ef0ab7996bbcb796ccccc1b59494e

    SHA1

    05a7d29ff012e467202d6d989d96c2c80987a75a

    SHA256

    d66362f49f31b05747722372a68e491063ae2743c81bc7533768a063fe5e886e

    SHA512

    dce97ae8908752d99dbd124aeb0f1dc26dc14ad752d388aabcc95b607aa6c6b353041f0aca59e4420e86c031eed222d47d251d90ed8fc06c04c2cd68b5ea3804

  • memory/1968-25-0x00000000068E0000-0x0000000006972000-memory.dmp

    Filesize

    584KB

  • memory/1968-1-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

    Filesize

    344KB

  • memory/1968-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

    Filesize

    4KB

  • memory/1968-2-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

  • memory/1968-33-0x0000000006DF0000-0x0000000006E56000-memory.dmp

    Filesize

    408KB

  • memory/1968-31-0x0000000006F30000-0x00000000074D4000-memory.dmp

    Filesize

    5.6MB

  • memory/1968-227-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

    Filesize

    4KB

  • memory/1968-229-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

  • memory/1968-254-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB