stormkitty | 1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0

Analysis

max time kernel
161s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a.exe
Size

1.4MB
MD5

80467b17d18000d6fab38846004e81ea
SHA1

1ffbeeeb77a563e7068cbd85c5d2ee2423e01017
SHA256

1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0
SHA512

8ca8ddd7609afa50c15927aec910e9a077ffc89aa213d4f3a0bd4c2be7d7e5f4374a06cb58f0f726715e867376f08fbbea16c32ea1286e4b832b496b6d7a42e9
SSDEEP

24576:CofiMngrdePNzQ0ZIxNXaV9x4IUgs36BUI2So5+jnzFYCaGApu8:7TgReFs0ZM0T+Sk6BU7HIFY7G98

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3748-132-0x0000000000BB0000-0x0000000000D12000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1a.exe

description pid process

Token: SeDebugPrivilege 3748 1a.exe

flow	ioc
7	checkip.dyndns.org

description	pid	process
Token: SeDebugPrivilege	3748	1a.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1a.execmd.execmd.exe

description	pid	process	target process
PID 3748 wrote to memory of 4824	3748	1a.exe	cmd.exe
PID 3748 wrote to memory of 4824	3748	1a.exe	cmd.exe
PID 4824 wrote to memory of 1040	4824	cmd.exe	chcp.com
PID 4824 wrote to memory of 1040	4824	cmd.exe	chcp.com
PID 4824 wrote to memory of 996	4824	cmd.exe	netsh.exe
PID 4824 wrote to memory of 996	4824	cmd.exe	netsh.exe
PID 4824 wrote to memory of 1028	4824	cmd.exe	findstr.exe
PID 4824 wrote to memory of 1028	4824	cmd.exe	findstr.exe
PID 3748 wrote to memory of 2128	3748	1a.exe	cmd.exe
PID 3748 wrote to memory of 2128	3748	1a.exe	cmd.exe
PID 2128 wrote to memory of 2056	2128	cmd.exe	chcp.com
PID 2128 wrote to memory of 2056	2128	cmd.exe	chcp.com
PID 2128 wrote to memory of 4236	2128	cmd.exe	netsh.exe
PID 2128 wrote to memory of 4236	2128	cmd.exe	netsh.exe
PID 2128 wrote to memory of 2136	2128	cmd.exe	findstr.exe
PID 2128 wrote to memory of 2136	2128	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\1a.exe
"C:\Users\Admin\AppData\Local\Temp\1a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1040

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
PID:996

C:\Windows\system32\findstr.exe
findstr All
3⤵
PID:1028

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2056

C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
3⤵
PID:4236

C:\Windows\system32\findstr.exe
findstr Key
3⤵
PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-137-0x0000000000000000-mapping.dmp

Download
memory/1028-138-0x0000000000000000-mapping.dmp

Download
memory/1040-136-0x0000000000000000-mapping.dmp

Download
memory/2056-140-0x0000000000000000-mapping.dmp

Download
memory/2128-139-0x0000000000000000-mapping.dmp

Download
memory/2136-142-0x0000000000000000-mapping.dmp

Download
memory/3748-132-0x0000000000BB0000-0x0000000000D12000-memory.dmp

Filesize
1.4MB

Download
memory/3748-134-0x00007FFAA33F0000-0x00007FFAA3EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-133-0x000000001B840000-0x000000001B85A000-memory.dmp

Filesize
104KB

Download
memory/3748-143-0x00007FFAA33F0000-0x00007FFAA3EB1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-141-0x0000000000000000-mapping.dmp

Download
memory/4824-135-0x0000000000000000-mapping.dmp

Download