blustealer | 788b02199a92e85072e007000ecc03098c2c40f74665159324a7be7e19a62f2e | Triage

Submit
Reports

Overview

overview

Static

static

1216-60-0x...ry.exe

windows7-x64

1216-60-0x...ry.exe

windows10-2004-x64

Sharing

General

Target

1216-60-0x0000000000400000-0x0000000000428000-memory.dmp
Size

160KB
Sample

220726-rwns8sadgp
MD5

c93c224620bbeffcf10df8c07447c394
SHA1

b4770ce3def8a09b0bb7a4bc9a05150f8c8ac666
SHA256

788b02199a92e85072e007000ecc03098c2c40f74665159324a7be7e19a62f2e
SHA512

6cafb342c2a7095bc8a83e9a132261e480f5e361a0c51e210067ede559eda661d17ee948c46e5aed7db298532a307ae16ec05dc3cb27ab7ac7803f5ab2aaa9f8

Score

10^/10

blustealer stormkitty collection persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1216-60-0x0000000000400000-0x0000000000428000-memory.exe

Resource

win7-20220715-en

stormkitty collection persistence spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

1216-60-0x0000000000400000-0x0000000000428000-memory.exe

Resource

win10v2004-20220721-en

stormkitty collection persistence spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  1216-60-0x0000000000400000-0x0000000000428000-memory.dmp
- Size
  
  160KB
- MD5
  
  c93c224620bbeffcf10df8c07447c394
- SHA1
  
  b4770ce3def8a09b0bb7a4bc9a05150f8c8ac666
- SHA256
  
  788b02199a92e85072e007000ecc03098c2c40f74665159324a7be7e19a62f2e
- SHA512
  
  6cafb342c2a7095bc8a83e9a132261e480f5e361a0c51e210067ede559eda661d17ee948c46e5aed7db298532a307ae16ec05dc3cb27ab7ac7803f5ab2aaa9f8
Score

10^/10

stormkitty collection persistence spyware stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

stormkittycollectionpersistencespywarestealer

behavioral2

stormkittycollectionpersistencespywarestealer

© 2018-2025

Terms | Privacy