Overview

overview

10

Static

static

10

bfccbd145f...11.exe

windows7-x64

10

bfccbd145f...11.exe

windows10-2004-x64

10

bff2e9336d...1b.exe

windows7-x64

10

bff2e9336d...1b.exe

windows10-2004-x64

10

c015c769dc...7b.exe

windows7-x64

10

c015c769dc...7b.exe

windows10-2004-x64

10

c02e930808...0e.exe

windows7-x64

10

c02e930808...0e.exe

windows10-2004-x64

10

c050e8dee0...78.exe

windows7-x64

7

c050e8dee0...78.exe

windows10-2004-x64

7

c06923d356...32.exe

windows7-x64

10

c06923d356...32.exe

windows10-2004-x64

10

c08fd2b60b...1e.exe

windows7-x64

10

c08fd2b60b...1e.exe

windows10-2004-x64

10

c094e156e6...d4.exe

windows7-x64

10

c094e156e6...d4.exe

windows10-2004-x64

10

c0b8bc022f...59.exe

windows7-x64

10

c0b8bc022f...59.exe

windows10-2004-x64

10

c0c57bb195...b1.exe

windows7-x64

10

c0c57bb195...b1.exe

windows10-2004-x64

10

c119d7a5cb...95.exe

windows7-x64

10

c119d7a5cb...95.exe

windows10-2004-x64

10

c13d1bcad6...37.exe

windows7-x64

7

c13d1bcad6...37.exe

windows10-2004-x64

7

c15177ea36...ea.exe

windows7-x64

10

c15177ea36...ea.exe

windows10-2004-x64

7

c156b157a6...f2.exe

windows7-x64

10

c156b157a6...f2.exe

windows10-2004-x64

10

c16c4b10a7...5e.exe

windows7-x64

10

c16c4b10a7...5e.exe

windows10-2004-x64

10

c16e3df003...bf.exe

windows7-x64

9

c16e3df003...bf.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_47.zip

  • Size

    68.7MB

  • Sample

    250322-g1h4fay1c1

  • MD5

    147a748956fabf640b28433daca32455

  • SHA1

    23d3ae0a80c8346254f88020c671b86cbca9a9e6

  • SHA256

    e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

  • SHA512

    eef3fae3513780a43bcf68456efa86b1e3e70179796c2b19bdccb38e93840a8ac012f999735651a4c79a8ead619248dfc5483e4e71afee017f4c821242ff0a43

  • SSDEEP

    1572864:1YQ1b1qgei+uoT1XESQfq3CziA3cgdyLyCCO0MEuYYZmTpL8EE4gOvRrTtIlNy:uQxEgeVTh/QS3ZqLGlmY0LE4gUINy

Score
10/10
arrowratasyncratdcratnjratredlinesectopratstormkittyumbralxwormdefaultlol checkerxm48x3collectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

LoL Checker

C2

dawid10666-47477.portmap.host:47477

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

xworm

C2

127.0.0.1:5800

vdtihjde7oo-57882.portmap.io:57882
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Extracted

Family

arrowrat

Botnet

XM48X3

C2

185.196.8.31:1338

Mutex

HHE4QB

Extracted

Family

asyncrat

Version

| nelsontriana980

Botnet

Default

C2

newservice.duckdns.org:11103

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

216.250.251.96:49916

Mutex

lwTzmSTIZWeTGLO3

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351005466335121518/twCTnfzoSiI-aCcNO4qPr6FH-T4gOkPWQV2wxS9C01GGw7XemgcLtgFXaMAxuEVtAD2v

https://discord.com/api/webhooks/1352290842009796729/G8yLk-T0sLJfX9oqfGwDEn679VpKN-s9_di6iL35v7J0EuZOmgrqGv_vPjXY_ihAjPfX

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      bfccbd145f18146e443f2ce65a8c8c11.exe

    • Size

      2.0MB

    • MD5

      bfccbd145f18146e443f2ce65a8c8c11

    • SHA1

      50bb39effd4b7f59c94101b98034b1b4133a2e34

    • SHA256

      7591fc12bc41fb61f813e9685ccad5356fd2262ad14d4b440ec07bcc1dcc2956

    • SHA512

      8474f468b8a77af4fe8e4e321c5dddcc760427bd4d031d10fdc85d823ac755da29d66fc4181519a64fec10601110fec7da28417f04b037e7a63a51fe79e9f3b5

    • SSDEEP

      49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral1behavioral2

    • Target

      bff2e9336d217437b4cca77856867f1b.exe

    • Size

      1.9MB

    • MD5

      bff2e9336d217437b4cca77856867f1b

    • SHA1

      99f8ea54c8fc0cd346a9e068ed4e697e6f6ec264

    • SHA256

      a6a8385b2dfec8b247a806f97a08878ee058b8155cb43f6b61924d849b0c608a

    • SHA512

      3bcd140119ec7035d36bd714e2f0069a5df017ed5c2356bd233e22b845a07fc3aecc9851e88bcfbbad92184ccf3e500cce10734fa2949beba40c7d7d99ce3655

    • SSDEEP

      24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral3behavioral4

    • Target

      c015c769dc2854aed713103935c1cbcd71c6677d940e43a91c0c7f7772b9b77b.exe

    • Size

      255KB

    • MD5

      bd50358f93bb3221bf89456ad679e9bb

    • SHA1

      4a1d4c1533d5d6e20701f63d249cfc8626635828

    • SHA256

      c015c769dc2854aed713103935c1cbcd71c6677d940e43a91c0c7f7772b9b77b

    • SHA512

      8a6e6106bb585c1f12075d428f5e41e85ff3f31cec91444298d11b221c305cf8889d2ee4a0ab7fb04aeebf7181df08357e5d45353c1a3777a2a97780f7dfad6e

    • SSDEEP

      6144:1F7sOUNEkrkp2Ok0S/kFv8siDIwc4mPthghXc2:/7spNjrXNYKVtN

    Score
    10/10
    redlinesectopratdiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat
    behavioral5behavioral6

    • Target

      c02e930808a65ef9fba82fc9cf46fcb8f2c064b70c35504c1b401a3b2c825b0e.exe

    • Size

      601KB

    • MD5

      d00f6c8abb451a5b09bedb250a3a9ac9

    • SHA1

      efddf7d4db29edc953196c38dd54c748ab13f158

    • SHA256

      c02e930808a65ef9fba82fc9cf46fcb8f2c064b70c35504c1b401a3b2c825b0e

    • SHA512

      0b970ea71a4f63230031f0dc24ba0ef3cacc6749e4a5b15dd16e8fe6215e67f845565a3db8b9a6cd57cd070e45e69cd3516913b95b4e39857319bcfda9dd6fc5

    • SSDEEP

      6144:EtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rU:g6u7+487IFjvelQypyfy7U

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      c050e8dee0ecfccab6e06491c39fe078.exe

    • Size

      12KB

    • MD5

      c050e8dee0ecfccab6e06491c39fe078

    • SHA1

      39f9f5b7055a11e32f97be97764fcefdb0db7885

    • SHA256

      a69b5776da05eb7c96ed317dfb00e2a677e79b74aaf7544bbe071a4654e97590

    • SHA512

      b632a74947d7d3aa044ff5c4176b4e305293b7f0c8e369920f36c06deffd5ef9b5f209f948d639e73f2619e277a57bbb024af2d9cba6a72957f1ea8c327662d0

    • SSDEEP

      384:LL7li/2z3q2DcEQvdfcJKLTp/NK9xa0y:fDMZQ9c0y

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    behavioral10behavioral9

    • Target

      c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32.exe

    • Size

      12.4MB

    • MD5

      eb9198e87da72f5fb0ec127d9cd805ac

    • SHA1

      513d4b80ff6019b3e96ebccb42cf463690dee1bc

    • SHA256

      c06923d356f2cec7eb28dc4224f24f43daee5fa1c13659c1d814849d01da6f32

    • SHA512

      896dbdaa3a602b74cadcc461988aa569e7e97b053065b839d73eeaf76829b41485331e26d1a7fee359ca533cf90dcdadff7d51524b00b2dbb4b60e5fdc2028de

    • SSDEEP

      393216:sHXMr/H4Fij6v42vQREwbXN+umS29dZo:ocr/4FiOvyREwbd+b9dZ

    Score
    10/10
    umbraldefense_evasionpyinstallerstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral11behavioral12

    • Target

      c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe

    • Size

      1.6MB

    • MD5

      1d5a1ae245a5e111a2587dbdb7dce8af

    • SHA1

      c3e74dedff703865d0455ab498b2fd3cb6e7aa00

    • SHA256

      c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e

    • SHA512

      75f5d287ebc247ac0aa2825dcb784894b31b4665a52994b0154ce9c1386dacb3fb72affaa32d9e86729e7da28f91c9c7f8eb2c755ac44c77c3c095e304ab367c

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral13behavioral14

    • Target

      c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

    • Size

      1.9MB

    • MD5

      edcab28f5aae28489cb2ca6933a2f2be

    • SHA1

      8226e84872a864d71d6f23a6927d1b603c53a0b7

    • SHA256

      c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4

    • SHA512

      240cedf9b820b28c66ce25d8e6591155906302dec4b234c5a697bbd3bdd6eec39874b09110be01883dac74cba494e46be356cd445a1cc16a3b269e720b1cff6a

    • SSDEEP

      49152:lD4qFYryHb84s5guM/UpXR/+7SjWnjb8Ydp1:lDC4si4bGmjWnkYdf

    Score
    10/10
    dcratdiscoveryexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      c0b8bc022f22daca9f588a7b6ae4ca9a19c813b07ea437b6d3a9d7549b6b8659.exe

    • Size

      527KB

    • MD5

      d022e3b1adcea1a944710591de710c13

    • SHA1

      af3d59f997c5c284bb0ee44c10d633bcc91241cf

    • SHA256

      c0b8bc022f22daca9f588a7b6ae4ca9a19c813b07ea437b6d3a9d7549b6b8659

    • SHA512

      14cbc418d05ffc9167e326ad71ce60dda1147a2fb97a4a502d1338ff8c0d126fed237ae6ca37e1322e0403019eefeb3c4152bba33d064430b65e1d224c0204b0

    • SSDEEP

      6144:rtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3r/3:d6u7+487IFjvelQypyfy7/3

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

    • Size

      1.9MB

    • MD5

      b0d62cfc43b2177c97816f2c622001be

    • SHA1

      f2b812fc94891c55de5c752bc3773036a8dc9825

    • SHA256

      c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1

    • SHA512

      4f29e098a812519506f1dea7ded26fe82f5fcffd0795e4d1d7c35d89db1ccd91fa39cf6df692eff0295c7522791051a6e726866ae30f6a525b37497d006214c1

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral19behavioral20

    • Target

      c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe

    • Size

      1.9MB

    • MD5

      f6e9aa3f2d123261eda08333b1bd7559

    • SHA1

      6bfe995054477329b2308617b824fb27ed762449

    • SHA256

      c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195

    • SHA512

      24fd343e717a3b3caf5870b2e8007a16b41f26418ecd8844ccd6f74a6255bf8918f7cf9b2cc3fafdc1cb39fbbbd144daf97832d6217efa7e6330e43f49102633

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral21behavioral22

    • Target

      c13d1bcad6fcfcf44834495ffdc272af84ab028f7ef78cabbde472289c2c6237.exe

    • Size

      574KB

    • MD5

      d4ab1c79238e32d0393c0d93fb496384

    • SHA1

      d74b0496c3a859e0eaee1126a5844e3236136b22

    • SHA256

      c13d1bcad6fcfcf44834495ffdc272af84ab028f7ef78cabbde472289c2c6237

    • SHA512

      39cc866de7a9ac8fd5548633db791f30e6d2e1252ad5ece599159b1cc33d23f5b063bba70ab0418cc8c2ec69ffa6e5dc5bc2a6f08989761d5be826d450f37964

    • SSDEEP

      12288:th2r/ifVjPMcBkqjVnl36ud0zR/6CtQ9PUHIG8DBuM/qyeTZ:Or/GrkqjVnlqud+/2P+ABuMA

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral23behavioral24

    • Target

      c15177ea36f2afdbf176de2a137587ea.exe

    • Size

      26KB

    • MD5

      c15177ea36f2afdbf176de2a137587ea

    • SHA1

      7dd50ee8fc28cf47c6aec26a329f96bca30ef66b

    • SHA256

      c886a602a924661c74be26d1f1123c152702f13126982dda2cde9f2cfee867a8

    • SHA512

      2acaffef03688a4b8382d336876323fcac6a06bda4a2b3235572d41e65800ccee80d747e7059185a4e5c28168263e61eb9f3093980c12661d34c7fa572df77a2

    • SSDEEP

      384:pLqW8nO4V7ngiJMroU9SPYiGGMdAQk93vmhm7UMKmIEecKdbXTzm9bVhcaA26KrZ:ZhVMgiOjdA/vMHTi9bDA

    Score
    10/10
    njratlol checkerdiscoverypersistencetrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral25behavioral26

    • Target

      c156b157a6cb826977e0d4024ceb6580eaccc052cab1476023aabb9597b280f2.exe

    • Size

      605KB

    • MD5

      e848cf565d7a56ee5ce8e1c8deda7200

    • SHA1

      57c91fac27b7ea807b1ad11c43a0282afcbfec2a

    • SHA256

      c156b157a6cb826977e0d4024ceb6580eaccc052cab1476023aabb9597b280f2

    • SHA512

      c04f4d8339b8f99580feed64991ca6214155b6202fa7235e9af85052b5d36449946cbcfffa9b6d980164eb0a10331aeddc1986a18d666eac53e437a2d1863793

    • SSDEEP

      6144:0tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rigZg:w6u7+487IFjvelQypyfy7igZg

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      c16c4b10a70fb5dd4c12a0d9ccc26a2330d75c5cb94684d4fc5e0ce499a1925e.exe

    • Size

      106KB

    • MD5

      12629c3cf0eaec0c28145377847d6931

    • SHA1

      57d72fa3db1d6a67dc6fea8c8b87922b73e334f0

    • SHA256

      c16c4b10a70fb5dd4c12a0d9ccc26a2330d75c5cb94684d4fc5e0ce499a1925e

    • SHA512

      9fe5e7ac07f64176c84b11f8bf4f0d5b574740844f32e476b4d0988b908032f16fb857e5102f6ef2dfced3fcfc23f2efcb483839009a6e83e850ff5df6cde0c7

    • SSDEEP

      1536:U7YfZJRZk79wZn8nESiIkD2V37AUIuvQ7sG69bAdI4pxReUbpJp6bDQx:U+RZk7WZnc4YOWQ7sR9bGpxReUbpJD

    Score
    10/10
    stormkittystealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral29behavioral30

    • Target

      c16e3df00370b2202bf15f0dba272d66744d0643238fdb4b1c4d3e1afcd327bf.exe

    • Size

      2.6MB

    • MD5

      3f9b2be56ee395499279e3b586e6f50d

    • SHA1

      6d47fdcd23be7c500eccb780d3bcb3d3b911c7f8

    • SHA256

      c16e3df00370b2202bf15f0dba272d66744d0643238fdb4b1c4d3e1afcd327bf

    • SHA512

      6c1a68fa8b77229b3b4e1b8d2a4248b3fea451a4de646f20b2a99643dcbd1805016b5eb64d57d81f18dbc7de4cd3d62c3e6c40d011d53aad693195a5255dcdb8

    • SSDEEP

      49152:yoURCk1qAsjZsIkRLNgXhyLHs1o0jOsTunBMslgBwmCbfv8:u0j1CntchMM1o6OO0Q

    Score
    9/10
    defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratlol checkerxm48x3defaultdcratnjratstormkittyxwormarrowratasyncrat
Score
10/10

behavioral1

dcratinfostealerrat
Score
10/10

behavioral2

dcratinfostealerrat
Score
10/10

behavioral3

defense_evasionexecutiontrojan
Score
10/10

behavioral4

defense_evasionexecutiontrojan
Score
10/10

behavioral5

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral6

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral7

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral8

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

umbraldefense_evasionpyinstallerstealer
Score
10/10

behavioral12

umbraldefense_evasionpyinstallerstealer
Score
10/10

behavioral13

dcratexecutioninfostealerrat
Score
10/10

behavioral14

dcratexecutioninfostealerrat
Score
10/10

behavioral15

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral16

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral17

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral18

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral19

defense_evasionexecutiontrojan
Score
10/10

behavioral20

defense_evasionexecutiontrojan
Score
10/10

behavioral21

defense_evasionexecutiontrojan
Score
10/10

behavioral22

defense_evasionexecutiontrojan
Score
10/10

behavioral23

spywarestealer
Score
7/10

behavioral24

spywarestealer
Score
7/10

behavioral25

njratlol checkerdiscoverypersistencetrojan
Score
10/10

behavioral26

discoverypersistence
Score
7/10

behavioral27

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral28

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral29

stormkittystealer
Score
10/10

behavioral30

stormkittystealer
Score
10/10

behavioral31

defense_evasion
Score
9/10

behavioral32

defense_evasion
Score
9/10