stormkitty | 6e3816fe96ae72f3c7695e1a64225ed36ff8a7e61f0fb192447cb14d5736dcea

General

Target

00909000870.exe
Size

1.1MB
MD5

b6d292139cbd769bfa7c005cbc3a8202
SHA1

f12d48f3aa3a1910795a12fbc57b32d24145af73
SHA256

6e3816fe96ae72f3c7695e1a64225ed36ff8a7e61f0fb192447cb14d5736dcea
SHA512

3cde67951d45796bf76c7724db52cc2bf64d40cf55e5bb751c98a0028ea309549f0344f1c0e1adf32c384441a02507cbfbaf0476761bebc37f5816079472dc6a

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3164-120-0x0000000000400000-0x00000000004B2000-memory.dmp	family_stormkitty
behavioral2/memory/3164-121-0x00000000004A734E-mapping.dmp	family_stormkitty

Loads dropped DLL 1 IoCs

Processes:

00909000870.exe

pid process

568 00909000870.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
568	00909000870.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

00909000870.exe00909000870.exe

description	pid	process	target process
PID 568 set thread context of 3208	568	00909000870.exe	00909000870.exe
PID 3208 set thread context of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 set thread context of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 set thread context of 3032	3208	00909000870.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3968 3164 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
3968	3164	WerFault.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

00909000870.exe

pid process

3208 00909000870.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

00909000870.exe

pid process

568 00909000870.exe

pid	process
3208	00909000870.exe

pid	process
568	00909000870.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeInstallUtil.exe

description	pid	process
Token: SeRestorePrivilege	3968	WerFault.exe
Token: SeBackupPrivilege	3968	WerFault.exe
Token: SeDebugPrivilege	3968	WerFault.exe
Token: SeDebugPrivilege	3032	InstallUtil.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

00909000870.exe

pid process

3208 00909000870.exe
3208 00909000870.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

00909000870.exeInstallUtil.exe

pid process

3208 00909000870.exe
3208 00909000870.exe
3032 InstallUtil.exe
3032 InstallUtil.exe

pid	process
3208	00909000870.exe
3208	00909000870.exe

pid	process
3208	00909000870.exe
3208	00909000870.exe
3032	InstallUtil.exe
3032	InstallUtil.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

00909000870.exe00909000870.exeWinMail.exe

description	pid	process	target process
PID 568 wrote to memory of 3208	568	00909000870.exe	00909000870.exe
PID 568 wrote to memory of 3208	568	00909000870.exe	00909000870.exe
PID 568 wrote to memory of 3208	568	00909000870.exe	00909000870.exe
PID 568 wrote to memory of 3208	568	00909000870.exe	00909000870.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 3164	3208	00909000870.exe	AppLaunch.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 2956	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 3032	3208	00909000870.exe	InstallUtil.exe
PID 3208 wrote to memory of 4000	3208	00909000870.exe	WinMail.exe
PID 3208 wrote to memory of 4000	3208	00909000870.exe	WinMail.exe
PID 3208 wrote to memory of 4000	3208	00909000870.exe	WinMail.exe
PID 4000 wrote to memory of 3856	4000	WinMail.exe	WinMail.exe
PID 4000 wrote to memory of 3856	4000	WinMail.exe	WinMail.exe

C:\Users\Admin\AppData\Local\Temp\00909000870.exe
"C:\Users\Admin\AppData\Local\Temp\00909000870.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\00909000870.exe
"C:\Users\Admin\AppData\Local\Temp\00909000870.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 932
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
3⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\BrowsersFiles.zip
MD5
36cd3e0fcda0f27b0f46ca7fe7bc63d3

SHA1
e076dcec1c5f9eed401f4c380a783eb1c4de047f

SHA256
8f46c060e2fabd4516507a90c6ec4911a3b05ff1cd20e1ca5ce84144078d6a5b

SHA512
6137a0de3315245729c093d78da90e7c599f84b4176870403cf46373b6f7c7a44a95bc4ef4b850be9de16e7fe3156b1d3e3f7eb3e0cb09e9a0ab81fe6955b120

Download Submit
C:\Users\Admin\BrowsersFiles\MozillaCookies.txt
MD5
c0eba57ce108eb752f9d91b8e3529c9c

SHA1
ed333454d80787cb146a5c50bfc96fbe0ef881c2

SHA256
7afc1e9f51dd43ef4205cb543ebb57bbe6eba7ea23228a7973f397da556ace4b

SHA512
b3345a6f9a92d1e04cb4289cecea29e55a4ea4e4843d2218ceac852769fd47cf5d347483792f6ec6495d858cb688aabd74ed7cdd52a81c9b486380edc04216d0

Download Submit
C:\Users\Admin\credentials.txt
MD5
41e57e735c82db717113096f67be9781

SHA1
a3a692b3020acd1ad6906cf3c2c9b111e66322f6

SHA256
881f99f69fbcbe3439645fe12f6a899bbc22fc702e95d5957631943ffbc08bb2

SHA512
74065c29d1f17bb513fb9acfba1f41b60879769430ec323d8022060245549bfa99d28a5c5e33d947eca55c7a66796878d4b2e86baf2efd8c745a67995df1884a

Download Submit
\Users\Admin\AppData\Local\Temp\nsk6D95.tmp\b7lqb2393a.dll
MD5
93fbd7c82ab517898fb113578a37530a

SHA1
966c0aedf19881ac23eb4b1058584e51366fb542

SHA256
57d4bac2f5f89cf338ee2d7b4cf7781aa55a9497fccaba58b86682bf9f884ec1

SHA512
3ca35c59b214f9a3fbd00d497113b94049e738352b499323564eb31712ad7cb2af4ae5fc8344d5c90ee21c862b779eaeeceaa618aee3bfe78b3f8f2f86839023

Download Submit
memory/568-116-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/568-117-0x0000000002601000-0x0000000002605000-memory.dmp

Filesize
16KB

Download
memory/2956-124-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2956-125-0x0000000000404212-mapping.dmp

Download
memory/3032-191-0x0000000004C61000-0x0000000004C62000-memory.dmp

Filesize
4KB

Download
memory/3032-190-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3032-187-0x0000000000404212-mapping.dmp

Download
memory/3032-192-0x0000000004C62000-0x0000000004C63000-memory.dmp

Filesize
4KB

Download
memory/3164-121-0x00000000004A734E-mapping.dmp

Download
memory/3164-186-0x0000000009610000-0x0000000009676000-memory.dmp

Filesize
408KB

Download
memory/3164-133-0x0000000009790000-0x0000000009791000-memory.dmp

Filesize
4KB

Download
memory/3164-132-0x0000000009680000-0x0000000009681000-memory.dmp

Filesize
4KB

Download
memory/3164-120-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3208-127-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3208-115-0x00000000004025C4-mapping.dmp

Download
memory/3856-195-0x0000000000000000-mapping.dmp

Download
memory/4000-194-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads