stormkitty | 58d10ab32005fe9f5bca2f8c933af8c89a43a1f49e934f26df9f8a48068ea0b5

General

Target

diamond spoofer.exe
Size

3.9MB
MD5

e5b42dbabb058b30f7fcc8a0a2050452
SHA1

9ec11afec660f1e4baed9c764e7995bf755c2011
SHA256

58d10ab32005fe9f5bca2f8c933af8c89a43a1f49e934f26df9f8a48068ea0b5
SHA512

f6199e85ae115650d1c01f4d7bb888701757399611a37b03a9c53100acd8b142ec00ea98bbdca75ef1b8ee9a03043c1ce1566874645f8c3606c75bd55f9b1e23
SSDEEP

98304:y0T+Srp3YVrsk9N8ivyhAdsPSQxhKnWJLXq0f4ogdCyb:xfSVN8iNISOvJzqwU

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp	family_stormkitty

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

svchoster.exe

pid process

4708 svchoster.exe

pid	process
4708	svchoster.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

diamond spoofer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	diamond spoofer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchoster.exe

pid process

4708 svchoster.exe
4708 svchoster.exe
4708 svchoster.exe
4708 svchoster.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

diamond spoofer.exe

description pid process

Token: SeDebugPrivilege 3592 diamond spoofer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

diamond spoofer.exe

pid process

3592 diamond spoofer.exe

flow	ioc
5	checkip.dyndns.org

pid	process
4708	svchoster.exe
4708	svchoster.exe
4708	svchoster.exe
4708	svchoster.exe

description	pid	process
Token: SeDebugPrivilege	3592	diamond spoofer.exe

pid	process
3592	diamond spoofer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

diamond spoofer.execmd.exe

description	pid	process	target process
PID 3592 wrote to memory of 364	3592	diamond spoofer.exe	cmd.exe
PID 3592 wrote to memory of 364	3592	diamond spoofer.exe	cmd.exe
PID 3592 wrote to memory of 364	3592	diamond spoofer.exe	cmd.exe
PID 364 wrote to memory of 4708	364	cmd.exe	svchoster.exe
PID 364 wrote to memory of 4708	364	cmd.exe	svchoster.exe
PID 364 wrote to memory of 4708	364	cmd.exe	svchoster.exe

C:\Users\Admin\AppData\Local\Temp\diamond spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\diamond spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\svchoster.exe
C:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchoster.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoster.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
memory/364-133-0x0000000000000000-mapping.dmp

Download
memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp

Filesize
3.9MB

Download
memory/3592-134-0x00000000061E0000-0x0000000006272000-memory.dmp

Filesize
584KB

Download
memory/3592-135-0x0000000006830000-0x0000000006DD4000-memory.dmp

Filesize
5.6MB

Download
memory/3592-139-0x0000000007600000-0x0000000007676000-memory.dmp

Filesize
472KB

Download
memory/3592-140-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/4708-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads