stormkitty | 5d98c3afedbff733afeabec59003a7a952d2e09fd5179fa71d0745454ee59699

Analysis

max time kernel
129s
max time network
131s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31-01-2023 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Raccoon Stealer Builder.exe
Size

239KB
MD5

0de94fc3e5f5e0e34d26abef5d3d6d2b
SHA1

23c26448be63a797e4b0166d6919ae9402aba6cc
SHA256

5d98c3afedbff733afeabec59003a7a952d2e09fd5179fa71d0745454ee59699
SHA512

bf6b2cfae5819c84e75bfb30193038d21fae0fdef82f91251bef904940bf8a866ad0ddd97980548400b83c08b0d4622b1f7a3f852b087d13a4f925ffe339950b
SSDEEP

3072:7+bZPfpKU+oF9a3voehFxtyI75ytEa+LFFCxge1nw1TV/oOWk:abpfpKU+u9obr70+ZmgoOWk

Score

10^/10

stormkitty persistence stealer

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/952-54-0x0000000000A90000-0x0000000000AD0000-memory.dmp	disable_win_def

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/952-54-0x0000000000A90000-0x0000000000AD0000-memory.dmp	family_stormkitty

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Raccoon Stealer Builder.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe"	Raccoon Stealer Builder.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1128 952 WerFault.exe Raccoon Stealer Builder.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Raccoon Stealer Builder.exe

description pid process

Token: SeDebugPrivilege 952 Raccoon Stealer Builder.exe

flow	ioc
3	checkip.dyndns.org

pid	pid_target	process	target process
1128	952	WerFault.exe	Raccoon Stealer Builder.exe

description	pid	process
Token: SeDebugPrivilege	952	Raccoon Stealer Builder.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Raccoon Stealer Builder.exe

description	pid	process	target process
PID 952 wrote to memory of 1128	952	Raccoon Stealer Builder.exe	WerFault.exe
PID 952 wrote to memory of 1128	952	Raccoon Stealer Builder.exe	WerFault.exe
PID 952 wrote to memory of 1128	952	Raccoon Stealer Builder.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Raccoon Stealer Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Raccoon Stealer Builder.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 952 -s 1016
2⤵
- Program crash
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-54-0x0000000000A90000-0x0000000000AD0000-memory.dmp

Filesize
256KB

Download
memory/1128-55-0x0000000000000000-mapping.dmp

Download