General

  • Target

    250325-axqksaxrbs_pw_infected.zip

  • Size

    130KB

  • Sample

    250325-ba72zssk14

  • MD5

    d75aefca4e647389152c375422352746

  • SHA1

    00ab1cbfe1d97394bd544af8ff5bee8b6356e49d

  • SHA256

    847cc80ec82d4579b87ecf68c9ddf0cc06d198dc29540b3ad91b7ce51e3c95ea

  • SHA512

    0977934dcdeb8611a88507cf67d6c46bdd841ce206405bd7a3260e3c369af188f6f37cb095aa9520a39f380cd68d98e985334484f4c17719e0db52b3d5656e32

  • SSDEEP

    3072:/ldPtvKVEcTniWGZA5ExzGxT19mpv1bo1r+iglqTBU9qELr3AS:d/vKGcWWqA+dG3018RTBNEv37

Malware Config

Targets

    • Target

      92ac159ee96cd578edf7970d270bec0e94d11995f9fe2478b263b1e767e624c5

    • Size

      143KB

    • MD5

      5d0bcf125fc151f9d94723142a9767b2

    • SHA1

      480c3db281ccf648dc7c794a98407ea4facdbe36

    • SHA256

      92ac159ee96cd578edf7970d270bec0e94d11995f9fe2478b263b1e767e624c5

    • SHA512

      20acd014e4a1bfac0adb2eaaf489b687a5f4f0366bf2a92fea00f9adb3d54f78553767650f7c6b64eeae7f393c48c5ee0523495d9d02ea5609630bb657ce691c

    • SSDEEP

      3072:zTIN8ogtjDAVeuGpr3CYcNk/s3nZnzao//mj77XPECeeYcmbr/nrM6B3c0TTmy3d:zTA8oPersuUnZzR/eDPECeeYrU6FPd

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

    • Target

      $TEMP/sys_temp/build.exe

    • Size

      213KB

    • MD5

      3e0ef380326dfa71f8662a28eb2605ed

    • SHA1

      082a799dcd05bdd09682f95347486fab5b639300

    • SHA256

      52cc8474d6f2156950c46210d28e602e52effc61f104c2714697fb5db1aadf60

    • SHA512

      c1deed49b8c4a288acdae21be444ccd8c86d43a4e713a7965affa807f428b98951c32cea03acce301a46888dcc5a5784c9d4ba4e3d77377f4dcef15755eee16e

    • SSDEEP

      6144:zgu0c4uUfX8fjVV+ZRH8rq9JrKbRG1EK1:zr0tPPx8rq9Jr1

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      $TEMP/sys_temp/kernelv.exe

    • Size

      24KB

    • MD5

      e43a896215467062f0511768737c113f

    • SHA1

      8672165c291211df68076fa217a63e4acc200ae2

    • SHA256

      a60af750115389bf7891c982f42cb30f7436e996072d6bd1f04930c67cb4649e

    • SHA512

      803adcaf0c89691e22e48becc87c02f7887a9261b610e2018504141148ddca880dea7b0f44298d9b458eb825b8bd9be725585ce461d7c3157452c89678d07244

    • SSDEEP

      384:SlhPJDRDUJno/+v5YS1lRIGZ+NjB0EF1hAc5glYNkFISaROvrP:ahPJDRDUJnoUYawglGmP

MITRE ATT&CK Enterprise v15

Tasks