General
-
Target
250325-axqksaxrbs_pw_infected.zip
-
Size
130KB
-
Sample
250325-ba72zssk14
-
MD5
d75aefca4e647389152c375422352746
-
SHA1
00ab1cbfe1d97394bd544af8ff5bee8b6356e49d
-
SHA256
847cc80ec82d4579b87ecf68c9ddf0cc06d198dc29540b3ad91b7ce51e3c95ea
-
SHA512
0977934dcdeb8611a88507cf67d6c46bdd841ce206405bd7a3260e3c369af188f6f37cb095aa9520a39f380cd68d98e985334484f4c17719e0db52b3d5656e32
-
SSDEEP
3072:/ldPtvKVEcTniWGZA5ExzGxT19mpv1bo1r+iglqTBU9qELr3AS:d/vKGcWWqA+dG3018RTBNEv37
Behavioral task
behavioral1
Sample
92ac159ee96cd578edf7970d270bec0e94d11995f9fe2478b263b1e767e624c5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
92ac159ee96cd578edf7970d270bec0e94d11995f9fe2478b263b1e767e624c5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
$TEMP/sys_temp/build.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$TEMP/sys_temp/build.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
$TEMP/sys_temp/kernelv.exe
Resource
win7-20250207-en
Behavioral task
behavioral6
Sample
$TEMP/sys_temp/kernelv.exe
Resource
win10v2004-20250314-en
Malware Config
Targets
-
-
Target
92ac159ee96cd578edf7970d270bec0e94d11995f9fe2478b263b1e767e624c5
-
Size
143KB
-
MD5
5d0bcf125fc151f9d94723142a9767b2
-
SHA1
480c3db281ccf648dc7c794a98407ea4facdbe36
-
SHA256
92ac159ee96cd578edf7970d270bec0e94d11995f9fe2478b263b1e767e624c5
-
SHA512
20acd014e4a1bfac0adb2eaaf489b687a5f4f0366bf2a92fea00f9adb3d54f78553767650f7c6b64eeae7f393c48c5ee0523495d9d02ea5609630bb657ce691c
-
SSDEEP
3072:zTIN8ogtjDAVeuGpr3CYcNk/s3nZnzao//mj77XPECeeYcmbr/nrM6B3c0TTmy3d:zTA8oPersuUnZzR/eDPECeeYrU6FPd
-
StormKitty payload
-
Stormkitty family
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
-
-
Target
$TEMP/sys_temp/build.exe
-
Size
213KB
-
MD5
3e0ef380326dfa71f8662a28eb2605ed
-
SHA1
082a799dcd05bdd09682f95347486fab5b639300
-
SHA256
52cc8474d6f2156950c46210d28e602e52effc61f104c2714697fb5db1aadf60
-
SHA512
c1deed49b8c4a288acdae21be444ccd8c86d43a4e713a7965affa807f428b98951c32cea03acce301a46888dcc5a5784c9d4ba4e3d77377f4dcef15755eee16e
-
SSDEEP
6144:zgu0c4uUfX8fjVV+ZRH8rq9JrKbRG1EK1:zr0tPPx8rq9Jr1
-
StormKitty payload
-
Stormkitty family
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
$TEMP/sys_temp/kernelv.exe
-
Size
24KB
-
MD5
e43a896215467062f0511768737c113f
-
SHA1
8672165c291211df68076fa217a63e4acc200ae2
-
SHA256
a60af750115389bf7891c982f42cb30f7436e996072d6bd1f04930c67cb4649e
-
SHA512
803adcaf0c89691e22e48becc87c02f7887a9261b610e2018504141148ddca880dea7b0f44298d9b458eb825b8bd9be725585ce461d7c3157452c89678d07244
-
SSDEEP
384:SlhPJDRDUJno/+v5YS1lRIGZ+NjB0EF1hAc5glYNkFISaROvrP:ahPJDRDUJnoUYawglGmP
Score6/10-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1