stormkitty | b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82

General

Target

b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe
Size

285KB
MD5

6c1f437246623bf56541b7871468788f
SHA1

8bfdfcc20897525de3f0b8b50992dbf26963771c
SHA256

b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82
SHA512

2543b4248c0d57c8cdc314638442ec5a280de26044b0a3652980867f302fdf9579e0a9bd38337aa004befc231dfb13780f2f13bdaa3fe0deebbb2be5008b83df
SSDEEP

6144:/QarTYtulUh/iDV8clenjluFJAdUwTjPpr7TVg//1371N8P1uGlaN:/D0ulUhA8clOjluFJA+wTjJTVg/d371J

Score

10^/10

stormkitty collection spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\f.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\f.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\f.exe	family_stormkitty
behavioral1/memory/1216-59-0x000000013FD00000-0x000000013FD20000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

Processes:

f.exe

pid process

1216 f.exe

pid	process
1216	f.exe

Drops startup file 1 IoCs

Processes:

b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

Loads dropped DLL 1 IoCs

Processes:

b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

pid process

836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
836	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

pid process

836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

pid	process
836	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe

description	pid	process	target process
PID 836 wrote to memory of 1216	836	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe	f.exe
PID 836 wrote to memory of 1216	836	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe	f.exe
PID 836 wrote to memory of 1216	836	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe	f.exe
PID 836 wrote to memory of 1216	836	b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe	f.exe

outlook_office_path 1 IoCs

Processes:

f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f.exe

outlook_win_path 1 IoCs

Processes:

f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f.exe

C:\Users\Admin\AppData\Local\Temp\b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe
"C:\Users\Admin\AppData\Local\Temp\b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\f.exe
C:\Users\Admin\AppData\Local\Temp\f.exe
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f.exe
Filesize
114KB

MD5
0d60b0f3fa8652a22e28ba2f378c5f8b

SHA1
6f925ecdb46e911943f220ded64af51c068fb49e

SHA256
2e09d54fffde9e427d070e4ac730b1e408ee0b4a624e5895e46ad4f98e4e65dd

SHA512
b17f5d1ff3e34361646b505cc70c42dd1fa04b5c3b5c59d9141fab263a0679d2b11fef000dffce781e478873259667cc3cb00d88d3631a8ff09be551f3a7c4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe
Filesize
114KB

MD5
0d60b0f3fa8652a22e28ba2f378c5f8b

SHA1
6f925ecdb46e911943f220ded64af51c068fb49e

SHA256
2e09d54fffde9e427d070e4ac730b1e408ee0b4a624e5895e46ad4f98e4e65dd

SHA512
b17f5d1ff3e34361646b505cc70c42dd1fa04b5c3b5c59d9141fab263a0679d2b11fef000dffce781e478873259667cc3cb00d88d3631a8ff09be551f3a7c4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwtmp\Browsers\Firefox\Bookmarks.txt
Filesize
115B

MD5
0ca02d5a982debc89a18a061bac91a4b

SHA1
8f0cfe7f0dade0a74f698ba1ea1384045710060c

SHA256
63ed103f5076c20b34f36efa685154aaeda7b66c206fa2f2588994fd9c60de7f

SHA512
a3aff8e71e8288d97b167b9f72bb0be2a4cc5fb4b7d0975e04c792d053aa30e5882005863c7666ef94b08976a924903d52d614c2220836d0b1c247031c87f1ce

Download Submit
\Users\Admin\AppData\Local\Temp\f.exe
Filesize
114KB

MD5
0d60b0f3fa8652a22e28ba2f378c5f8b

SHA1
6f925ecdb46e911943f220ded64af51c068fb49e

SHA256
2e09d54fffde9e427d070e4ac730b1e408ee0b4a624e5895e46ad4f98e4e65dd

SHA512
b17f5d1ff3e34361646b505cc70c42dd1fa04b5c3b5c59d9141fab263a0679d2b11fef000dffce781e478873259667cc3cb00d88d3631a8ff09be551f3a7c4e6

Download Submit
memory/836-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1216-56-0x0000000000000000-mapping.dmp

Download
memory/1216-59-0x000000013FD00000-0x000000013FD20000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads