General
-
Target
2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver
-
Size
5.9MB
-
Sample
250330-xzcs2avwbw
-
MD5
3e9c8110f16f5cd05d10145e285431a6
-
SHA1
e6bd5165ecb226a15d7b9d94294f48a4c763f02e
-
SHA256
61f80d4e1cab8965a4b8e2ff94f9259a34052b9bb587fc790ff7c72a7e0cb88b
-
SHA512
f915c2da18215d2653437d41ee894080d99d8a59e5b3b8623354b57bc73f41f38d3ff0b6a7069c510ef6bb1375934d58e06af190d410c6366d8030bc6d6d8ce7
-
SSDEEP
98304:jr1sXcfq52vHkhnpT7x/1qFI8zThj941RsKRABzueL:SXcfq52vEhnNthwdx41RI
Malware Config
Targets
-
-
Target
2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver
-
Size
5.9MB
-
MD5
3e9c8110f16f5cd05d10145e285431a6
-
SHA1
e6bd5165ecb226a15d7b9d94294f48a4c763f02e
-
SHA256
61f80d4e1cab8965a4b8e2ff94f9259a34052b9bb587fc790ff7c72a7e0cb88b
-
SHA512
f915c2da18215d2653437d41ee894080d99d8a59e5b3b8623354b57bc73f41f38d3ff0b6a7069c510ef6bb1375934d58e06af190d410c6366d8030bc6d6d8ce7
-
SSDEEP
98304:jr1sXcfq52vHkhnpT7x/1qFI8zThj941RsKRABzueL:SXcfq52vEhnNthwdx41RI
Score10/10-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2