General

  • Target

    2025-04-01_56a069b77a44f7f469878bb81d5178a7_frostygoop_ghostlocker_sliver

  • Size

    5.9MB

  • Sample

    250401-a8zmtstjt6

  • MD5

    56a069b77a44f7f469878bb81d5178a7

  • SHA1

    75a3aad0707f38fb291dd9c6a321dc5f441000e0

  • SHA256

    bfd0df39f25c0f7c5da70486a23251bfdd965f65c3d51224a180b57611ebc1f7

  • SHA512

    f722572d89f64e2663f1a48fcd34842919b033bbd35d722992057d8f510285ec40d5bb8b173eacf0b9e6b7a2e855dfeb8ba2b1cdb742699ab48469704da163a6

  • SSDEEP

    98304:ZfVAFIuyS5PrsR+L7xDhjstzrUnBaCB+RsKRABzeeL:gFIuyS5I+LJQg1B+RI

Malware Config

Targets

    • Target

      2025-04-01_56a069b77a44f7f469878bb81d5178a7_frostygoop_ghostlocker_sliver

    • Size

      5.9MB

    • MD5

      56a069b77a44f7f469878bb81d5178a7

    • SHA1

      75a3aad0707f38fb291dd9c6a321dc5f441000e0

    • SHA256

      bfd0df39f25c0f7c5da70486a23251bfdd965f65c3d51224a180b57611ebc1f7

    • SHA512

      f722572d89f64e2663f1a48fcd34842919b033bbd35d722992057d8f510285ec40d5bb8b173eacf0b9e6b7a2e855dfeb8ba2b1cdb742699ab48469704da163a6

    • SSDEEP

      98304:ZfVAFIuyS5PrsR+L7xDhjstzrUnBaCB+RsKRABzeeL:gFIuyS5I+LJQg1B+RI

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks