stormkitty | 0db34a2edc14731f5a5b0a0cd0ce855f76a43f0279d0259383682ee59eba43f2

General

Target

ZAZAgenv2.exe (1) (1).exe
Size

3.8MB
MD5

5adc42fc3c4641933072fd628c07778b
SHA1

88dacdf1ab3aea812c7aaeb0e532edddf22c1ef4
SHA256

0db34a2edc14731f5a5b0a0cd0ce855f76a43f0279d0259383682ee59eba43f2
SHA512

9fcfda10612301d90846042b8a8ee5519012727caf5c4138037934b6ccd12cd9808c2e1c8378e54cc72b7a26fbc1274224179bb36e17f937b2254ba4b4dc7678
SSDEEP

98304:Qu0T+Srp3YVrsk9N8ivyhAdsPSQxhsnWJLXq0f9ogdCyb:QtfSVN8iNISOlJzqwf

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp	family_stormkitty

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\svchoster.exe	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ZAZAgenv2.exe (1) (1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ZAZAgenv2.exe (1) (1).exe

Executes dropped EXE 1 IoCs

Processes:

svchoster.exe

pid process

4636 svchoster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1172 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchoster.exe

pid process

4636 svchoster.exe
4636 svchoster.exe
4636 svchoster.exe
4636 svchoster.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ZAZAgenv2.exe (1) (1).exe

description pid process

Token: SeDebugPrivilege 5092 ZAZAgenv2.exe (1) (1).exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ZAZAgenv2.exe (1) (1).exe

pid process

5092 ZAZAgenv2.exe (1) (1).exe

pid	process
4636	svchoster.exe

flow	ioc
18	checkip.dyndns.org

pid	process
1172	NOTEPAD.EXE

pid	process
4636	svchoster.exe
4636	svchoster.exe
4636	svchoster.exe
4636	svchoster.exe

description	pid	process
Token: SeDebugPrivilege	5092	ZAZAgenv2.exe (1) (1).exe

pid	process
5092	ZAZAgenv2.exe (1) (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ZAZAgenv2.exe (1) (1).execmd.exe

description	pid	process	target process
PID 5092 wrote to memory of 4300	5092	ZAZAgenv2.exe (1) (1).exe	cmd.exe
PID 5092 wrote to memory of 4300	5092	ZAZAgenv2.exe (1) (1).exe	cmd.exe
PID 5092 wrote to memory of 4300	5092	ZAZAgenv2.exe (1) (1).exe	cmd.exe
PID 4300 wrote to memory of 4636	4300	cmd.exe	svchoster.exe
PID 4300 wrote to memory of 4636	4300	cmd.exe	svchoster.exe
PID 4300 wrote to memory of 4636	4300	cmd.exe	svchoster.exe

C:\Users\Admin\AppData\Local\Temp\ZAZAgenv2.exe (1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\ZAZAgenv2.exe (1) (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\svchoster.exe
C:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResizeNew.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchoster.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoster.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
memory/4300-133-0x0000000000000000-mapping.dmp

Download
memory/4636-136-0x0000000000000000-mapping.dmp

Download
memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp

Filesize
3.9MB

Download
memory/5092-134-0x0000000006010000-0x00000000060A2000-memory.dmp

Filesize
584KB

Download
memory/5092-135-0x0000000006660000-0x0000000006C04000-memory.dmp

Filesize
5.6MB

Download
memory/5092-139-0x0000000007430000-0x00000000074A6000-memory.dmp

Filesize
472KB

Download
memory/5092-140-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads