stormkitty | 1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0

Analysis

max time kernel
149s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:22

Target

1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0.exe
Size

1.4MB
MD5

80467b17d18000d6fab38846004e81ea
SHA1

1ffbeeeb77a563e7068cbd85c5d2ee2423e01017
SHA256

1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0
SHA512

8ca8ddd7609afa50c15927aec910e9a077ffc89aa213d4f3a0bd4c2be7d7e5f4374a06cb58f0f726715e867376f08fbbea16c32ea1286e4b832b496b6d7a42e9
SSDEEP

24576:CofiMngrdePNzQ0ZIxNXaV9x4IUgs36BUI2So5+jnzFYCaGApu8:7TgReFs0ZM0T+Sk6BU7HIFY7G98

Score

10^/10

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-132-0x0000000000E40000-0x0000000000FA2000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 checkip.dyndns.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0.exe

description pid process

Token: SeDebugPrivilege 4984 1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0.exe

flow	ioc
30	checkip.dyndns.org

description	pid	process
Token: SeDebugPrivilege	4984	1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0.exe

C:\Users\Admin\AppData\Local\Temp\1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0.exe
"C:\Users\Admin\AppData\Local\Temp\1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/4984-132-0x0000000000E40000-0x0000000000FA2000-memory.dmp

Filesize
1.4MB

Download
memory/4984-133-0x00007FFE08E30000-0x00007FFE098F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-134-0x0000000003160000-0x000000000317A000-memory.dmp

Filesize
104KB

Download