stormkitty | hxxps://github[.]com/Bulldogfrfr/LaF-krunker-Client/blob/main/LaF_Setup_Windows_x64[.]exe

General

Target

https://github.com/Bulldogfrfr/LaF-krunker-Client/blob/main/LaF_Setup_Windows_x64.exe

Score

10^/10

stormkitty stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\LaF_Setup_Windows_x64.exe.nmscjmv.partial	family_stormkitty
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\LaF_Setup_Windows_x64.exe	family_stormkitty
behavioral1/memory/1276-58-0x0000000000C00000-0x0000000000C16000-memory.dmp	family_stormkitty

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

LaF_Setup_Windows_x64.exe

pid process

1276 LaF_Setup_Windows_x64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1168 1276 WerFault.exe LaF_Setup_Windows_x64.exe

pid	process
1276	LaF_Setup_Windows_x64.exe

pid	pid_target	process	target process
1168	1276	WerFault.exe	LaF_Setup_Windows_x64.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a0dcd4e34b2bd901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380818254"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002cabd1df309026449fc57da6e6d0cf5b00000000020000000000106600000001000020000000e8d2b8dd7fc8d773dd7ea3eaea1805c17ec05cafef9d79d9b913aa74e2900941000000000e800000000200002000000093d5da6d40c9004d224947c1c18e1a4168c1746e8f1a3dfdb93f4a361b351d7a90000000c67283474ff9025ce4d53bcac5f2c9f94f033342ad59c50e516dca17b8d3ab85d597d56346e1448cdab3a5ce57055252368399b487b90f513533b706c17b77dd2e3d4cb852f8a901064eb16d775032cad10d647ff1ce7e7ddf250a5dd446a61f0e54b4e6829ea894b38c81aa4a5a2d6362cae88e6449adb2bd409da7783848650172152b43281fae39d97e7fca11799c4000000046c009bf25a195035f6b1a6e2d42702d556091f738654cfbd72bb591ebf5ad837e36ebc0fbd71ba5fde9d294acd7983b5e717c825d3239e0a3e1e0861d61caa3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002cabd1df309026449fc57da6e6d0cf5b00000000020000000000106600000001000020000000e897f4c919cf470d50da0d0f2cfd45b37c1684062a7f113b4da2ee595006ace5000000000e80000000020000200000006ef5eb89dea84c98946843060707f602f9f9d8aedd92998e1563e724c5100c2920000000320539eb4ba157ecaec648f8fd4b0264dd1748ff100dfab300ea936b6ae5f3f5400000006a242d111d2d8ca369f0987c55311bf8b48dbb59cbfca7fec3bc6670ce369b728f7ecd901f61111f1dd08c8b4fdb335f8c78cfbc6a7dfee0fa0512bb0662cf56	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207b5ff44b2bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19FA47C1-973F-11ED-BBEF-F2255ECFD43B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

852 iexplore.exe
852 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

852 iexplore.exe
852 iexplore.exe
1380 IEXPLORE.EXE
1380 IEXPLORE.EXE
1380 IEXPLORE.EXE
1380 IEXPLORE.EXE

pid	process
852	iexplore.exe
852	iexplore.exe

pid	process
852	iexplore.exe
852	iexplore.exe
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

iexplore.exeLaF_Setup_Windows_x64.exe

description	pid	process	target process
PID 852 wrote to memory of 1380	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1380	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1380	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1380	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1276	852	iexplore.exe	LaF_Setup_Windows_x64.exe
PID 852 wrote to memory of 1276	852	iexplore.exe	LaF_Setup_Windows_x64.exe
PID 852 wrote to memory of 1276	852	iexplore.exe	LaF_Setup_Windows_x64.exe
PID 1276 wrote to memory of 1168	1276	LaF_Setup_Windows_x64.exe	WerFault.exe
PID 1276 wrote to memory of 1168	1276	LaF_Setup_Windows_x64.exe	WerFault.exe
PID 1276 wrote to memory of 1168	1276	LaF_Setup_Windows_x64.exe	WerFault.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Bulldogfrfr/LaF-krunker-Client/blob/main/LaF_Setup_Windows_x64.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\LaF_Setup_Windows_x64.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\LaF_Setup_Windows_x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1276 -s 656
3⤵
- Program crash
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c82951d4415e69aa5af0a60f05747879

SHA1
7a489e340913124e47260d5f7edd99d3733317ad

SHA256
bb2602d843be043d692854001787d2cece2064164a9b94994769958d7857d93d

SHA512
c960bcf5cc27f45d5f5a03422a44859f76bbdc1efb4e3999b98bf7c897d1971dd02f4f66eb706508abd7c6f9b2c8f78d94248da63fdb40fb68d0165f07570dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
5KB

MD5
1b34de76a16cbf24ef3f23a0d5eefd70

SHA1
a4180ada4999ccf748fa6667e5f894837ceb5b3d

SHA256
e2a1ed07711f94443216ef73ec715994abca1d80a965778f9548ddca059173c8

SHA512
399923ab42b5f67715a9f08cc7b0d695221bf1afe4e95860d0cc220c7b4405327c2b722c8f0524eb47d681afd20d56da97a87474cff70d012c1472fee0f07871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\LaF_Setup_Windows_x64.exe
Filesize
63KB

MD5
25fc98107ffc3d6763b702f1167e913f

SHA1
aeaa8b4139771dbec081f34cd1e382e8317a9fbd

SHA256
19cd3bbcb2e7013aa7ac5240a481c059824d32ee039652a5cab79da08b84d4e6

SHA512
37a3accb6457fa7d9b8e647dab779ded49798e96efea2e11847ef354419ff39d4eb217dc3c88686bec8839b9f5be5dca2718647c93b0fdccd400928cc9457f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\LaF_Setup_Windows_x64.exe.nmscjmv.partial
Filesize
63KB

MD5
25fc98107ffc3d6763b702f1167e913f

SHA1
aeaa8b4139771dbec081f34cd1e382e8317a9fbd

SHA256
19cd3bbcb2e7013aa7ac5240a481c059824d32ee039652a5cab79da08b84d4e6

SHA512
37a3accb6457fa7d9b8e647dab779ded49798e96efea2e11847ef354419ff39d4eb217dc3c88686bec8839b9f5be5dca2718647c93b0fdccd400928cc9457f35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L55GRX13.txt
Filesize
598B

MD5
0bae92fb5d9c8a085117f6e1ea884993

SHA1
77106deb6adcd951da1ceb7118623e810be014f4

SHA256
f14bd280d9cfddc7cf77ea5100e22375acc7984cf73ce21d295c214931a329af

SHA512
4dd358aa6bc96cd214c72ee18e7e549d268b8b3d4adb48ad23d208965999b302081bd2822a27cd25981cdfb1fd809ea1bfe8f0fb94daaee99baab5edd05ebf08

Download Submit
memory/1168-59-0x0000000000000000-mapping.dmp

Download
memory/1276-56-0x0000000000000000-mapping.dmp

Download
memory/1276-58-0x0000000000C00000-0x0000000000C16000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads