stormkitty | c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2

General

Target

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
Size

3.4MB
MD5

a75a69c8e7d43c798214ecfe57397224
SHA1

5eea407838965192b0785ae08e7c7b4dbf900e33
SHA256

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2
SHA512

13cfcacf1c0fe8cb80a775394720fc1f77c14e36d187356ff9d60a37bd1cf0ff14f2a85780437981db5b1411218a1dbd85f93f4b1053d9196679a7d149949d5a
SSDEEP

49152:WelMheDwmXQVKk2rBkyD3RZDaCAxQs8VlIiWSk8hM0wGUsfisgEWmBMbLCDrYGE5:7L8ArGoaCls8VlIkkgMlGUkMqoX

Score

10^/10

stormkitty evasion stealer themida trojan

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-59-0x0000000001290000-0x0000000001B16000-memory.dmp	family_stormkitty
behavioral1/memory/1720-60-0x0000000001290000-0x0000000001B16000-memory.dmp	family_stormkitty
behavioral1/memory/1720-65-0x0000000001290000-0x0000000001B16000-memory.dmp	family_stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1120 cmd.exe

pid	process
1120	cmd.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1720-57-0x0000000001290000-0x0000000001B16000-memory.dmp	themida
behavioral1/memory/1720-59-0x0000000001290000-0x0000000001B16000-memory.dmp	themida
behavioral1/memory/1720-60-0x0000000001290000-0x0000000001B16000-memory.dmp	themida
behavioral1/memory/1720-65-0x0000000001290000-0x0000000001B16000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

pid	process
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

568 timeout.exe

pid	process
568	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

pid	process
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

description pid process

Token: SeDebugPrivilege 1720 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

description	pid	process
Token: SeDebugPrivilege	1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.execmd.exe

description	pid	process	target process
PID 1720 wrote to memory of 1120	1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe	cmd.exe
PID 1720 wrote to memory of 1120	1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe	cmd.exe
PID 1720 wrote to memory of 1120	1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe	cmd.exe
PID 1720 wrote to memory of 1120	1720	c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe	cmd.exe
PID 1120 wrote to memory of 568	1120	cmd.exe	timeout.exe
PID 1120 wrote to memory of 568	1120	cmd.exe	timeout.exe
PID 1120 wrote to memory of 568	1120	cmd.exe	timeout.exe
PID 1120 wrote to memory of 568	1120	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
"C:\Users\Admin\AppData\Local\Temp\c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5533.tmp.cmd""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5533.tmp.cmd
Filesize
246B

MD5
c6dd9e242dff12ac702084b204c96965

SHA1
e7941a7c9eea8bddc56854e087d0d404e50a9d11

SHA256
7a4c6ff4526d75723273b2e7067863397239235eb2dc8f4f87f6470cd30119ad

SHA512
57abed70b87a05752be73e7506a51fda3338d0017a5c2f625b993e281e7f22dfc2351051a1a918ffbf6b3cdbf07d37678b48672efb1465762f6a0c7ad8618b2f

Download Submit
memory/568-68-0x0000000000000000-mapping.dmp

Download
memory/1120-64-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x00000000052F5000-0x0000000005306000-memory.dmp

Filesize
68KB

Download
memory/1720-60-0x0000000001290000-0x0000000001B16000-memory.dmp

Filesize
8.5MB

Download
memory/1720-61-0x0000000004F20000-0x0000000004F98000-memory.dmp

Filesize
480KB

Download
memory/1720-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1720-63-0x0000000005890000-0x0000000005906000-memory.dmp

Filesize
472KB

Download
memory/1720-59-0x0000000001290000-0x0000000001B16000-memory.dmp

Filesize
8.5MB

Download
memory/1720-65-0x0000000001290000-0x0000000001B16000-memory.dmp

Filesize
8.5MB

Download
memory/1720-58-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/1720-66-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/1720-57-0x0000000001290000-0x0000000001B16000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads