CrowdStrike Tracks Reported Iranian Actor as FLYING KITTEN
Tags
country: Iran Iraq
attack-pattern: Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Whois - T1596.002
Show in Graph
Common Information
Type Value
UUID c97575b1-4556-4c30-a530-082652e7cc7a
Fingerprint 9c19ae592ae6df05
Analysis status DONE
Considered CTI value 1
Text language
Published May 13, 2014, 12:31 p.m.
Added to db Sept. 26, 2022, 9:32 a.m.
Last updated Nov. 18, 2024, 4:35 a.m.
Headline Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN
Title CrowdStrike Tracks Reported Iranian Actor as FLYING KITTEN
Detected Hints/Tags/Attributes 44/2/12
Source URLs
Redirection Url
Details Source https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/
URL Provider
Details Provider Source level domain
Details crowdstrike.com www.crowdstrike.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
parmanpower.com
Details Domain 3 
usa.gov.us
Details Domain 2 
aeroconf2014.org
Details Domain 1176 
gmail.com
Details Domain 1 
stealer.properties
Details Domain 57 
crowdstrike.com
Details Email 3 
info@usa.gov.us
Details Email 2 
keyvan.ajaxtm@gmail.com
Details Email 4 
intelligence@crowdstrike.com
Details File 1 
intelrapidstart.exe
Details Pdb 2 
stealer.pdb
Details Yara rule 1 
rule CrowdStrike_CSIT_14003_03 : installer {
	meta:
		copyright = "CrowdStrike, Inc"
		description = "Flying Kitten Installer"
		version = "1.0"
		actor = "FLYING KITTEN"
		in_the_wild = true
	strings:
		$exename = "IntelRapidStart.exe"
		$confname = "IntelRapidStart.exe.config"
		$cabhdr = { 4D 53 43 46 00 00 00 00 }
	condition:
		all of them
}