Resubmissions

24/03/2025, 04:06

250324-epe7aswwaz 10

17/03/2025, 21:48

250317-1nzp7syxd1 10

General

  • Target

    fix (4).bat

  • Size

    2KB

  • Sample

    250317-1nzp7syxd1

  • MD5

    160b408ccc1bd513057cba516f4436e7

  • SHA1

    0deecfee13ebc656eecc6aaab2a8978bc93268d0

  • SHA256

    50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4

  • SHA512

    74777e896abd4ca6f4282a1dff09c133f95ecd17f1bb48140fce2f2cca615e5be034950cdf8d3ad3846338f442c8e326fac69ef1b18104bd344e7cd33bdec933

Malware Config

Targets

    • Target

      fix (4).bat

    • Size

      2KB

    • MD5

      160b408ccc1bd513057cba516f4436e7

    • SHA1

      0deecfee13ebc656eecc6aaab2a8978bc93268d0

    • SHA256

      50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4

    • SHA512

      74777e896abd4ca6f4282a1dff09c133f95ecd17f1bb48140fce2f2cca615e5be034950cdf8d3ad3846338f442c8e326fac69ef1b18104bd344e7cd33bdec933

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks