stormkitty | fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

General

Target

stub.bin.exe
Size

561KB
MD5

68260e77a8d3f9f51e06d351f9ec4a9a
SHA1

11dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256

fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA512

7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Score

10^/10

stormkitty spyware stealer suricata

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\stub.bin.exe	family_stormkitty
\Users\Admin\AppData\Local\Temp\stub.bin.exe	family_stormkitty
\Users\Admin\AppData\Local\Temp\stub.bin.exe	family_stormkitty
\Users\Admin\AppData\Local\Temp\stub.bin.exe	family_stormkitty
\Users\Admin\AppData\Local\Temp\stub.bin.exe	family_stormkitty

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Loads dropped DLL 7 IoCs

Processes:

stub.bin.exeWerFault.exe

pid process

572 stub.bin.exe
572 stub.bin.exe
752 WerFault.exe
752 WerFault.exe
752 WerFault.exe
752 WerFault.exe
752 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
572	stub.bin.exe
572	stub.bin.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

stub.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	stub.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	stub.bin.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

752 572 WerFault.exe stub.bin.exe

flow	ioc
6	icanhazip.com

pid	pid_target	process	target process
752	572	WerFault.exe	stub.bin.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

stub.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	stub.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	stub.bin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

stub.bin.exeWerFault.exe

pid process

572 stub.bin.exe
572 stub.bin.exe
572 stub.bin.exe
752 WerFault.exe
752 WerFault.exe
752 WerFault.exe
752 WerFault.exe
752 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

752 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

stub.bin.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 572 stub.bin.exe
Token: SeDebugPrivilege 752 WerFault.exe

pid	process
572	stub.bin.exe
572	stub.bin.exe
572	stub.bin.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe

pid	process
752	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	572	stub.bin.exe
Token: SeDebugPrivilege	752	WerFault.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

stub.bin.execmd.execmd.exe

description	pid	process	target process
PID 572 wrote to memory of 1912	572	stub.bin.exe	cmd.exe
PID 572 wrote to memory of 1912	572	stub.bin.exe	cmd.exe
PID 572 wrote to memory of 1912	572	stub.bin.exe	cmd.exe
PID 572 wrote to memory of 1912	572	stub.bin.exe	cmd.exe
PID 1912 wrote to memory of 680	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 680	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 680	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 680	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 1916	1912	cmd.exe	netsh.exe
PID 1912 wrote to memory of 1916	1912	cmd.exe	netsh.exe
PID 1912 wrote to memory of 1916	1912	cmd.exe	netsh.exe
PID 1912 wrote to memory of 1916	1912	cmd.exe	netsh.exe
PID 1912 wrote to memory of 1736	1912	cmd.exe	findstr.exe
PID 1912 wrote to memory of 1736	1912	cmd.exe	findstr.exe
PID 1912 wrote to memory of 1736	1912	cmd.exe	findstr.exe
PID 1912 wrote to memory of 1736	1912	cmd.exe	findstr.exe
PID 572 wrote to memory of 1992	572	stub.bin.exe	cmd.exe
PID 572 wrote to memory of 1992	572	stub.bin.exe	cmd.exe
PID 572 wrote to memory of 1992	572	stub.bin.exe	cmd.exe
PID 572 wrote to memory of 1992	572	stub.bin.exe	cmd.exe
PID 1992 wrote to memory of 1604	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1604	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1604	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1604	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1600	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1600	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1600	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1600	1992	cmd.exe	netsh.exe
PID 572 wrote to memory of 752	572	stub.bin.exe	WerFault.exe
PID 572 wrote to memory of 752	572	stub.bin.exe	WerFault.exe
PID 572 wrote to memory of 752	572	stub.bin.exe	WerFault.exe
PID 572 wrote to memory of 752	572	stub.bin.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\stub.bin.exe
"C:\Users\Admin\AppData\Local\Temp\stub.bin.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:680

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
3⤵
PID:1916

C:\Windows\SysWOW64\findstr.exe
findstr All
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1604

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 2448
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
\Users\Admin\AppData\Local\Temp\stub.bin.exe
MD5
68260e77a8d3f9f51e06d351f9ec4a9a

SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159

SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Download Submit
\Users\Admin\AppData\Local\Temp\stub.bin.exe
MD5
68260e77a8d3f9f51e06d351f9ec4a9a

SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159

SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Download Submit
\Users\Admin\AppData\Local\Temp\stub.bin.exe
MD5
68260e77a8d3f9f51e06d351f9ec4a9a

SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159

SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Download Submit
\Users\Admin\AppData\Local\Temp\stub.bin.exe
MD5
68260e77a8d3f9f51e06d351f9ec4a9a

SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159

SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Download Submit
\Users\Admin\AppData\Local\Temp\stub.bin.exe
MD5
68260e77a8d3f9f51e06d351f9ec4a9a

SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159

SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Download Submit
memory/572-62-0x0000000005655000-0x0000000005666000-memory.dmp

Filesize
68KB

Download
memory/572-54-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/572-56-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/572-69-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/680-58-0x0000000000000000-mapping.dmp

Download
memory/752-70-0x0000000000000000-mapping.dmp

Download
memory/752-76-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1600-65-0x0000000000000000-mapping.dmp

Download
memory/1604-64-0x0000000000000000-mapping.dmp

Download
memory/1736-60-0x0000000000000000-mapping.dmp

Download
memory/1912-57-0x0000000000000000-mapping.dmp

Download
memory/1916-61-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1916-59-0x0000000000000000-mapping.dmp

Download
memory/1992-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads