Overview
overview
10Static
static
10StormSpoof...of.dll
windows7-x64
1StormSpoof...of.dll
windows10-2004-x64
1StormSpoof...0S.dll
windows7-x64
1StormSpoof...0S.dll
windows10-2004-x64
3StormSpoof...of.dll
windows7-x64
1StormSpoof...of.dll
windows10-2004-x64
1StormSpoof...er.exe
windows7-x64
10StormSpoof...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14-08-2023 13:21
Behavioral task
behavioral1
Sample
StormSpoofer/HwidSpoof.dll
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
StormSpoofer/HwidSpoof.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
StormSpoofer/SpoofB10S.dll
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
StormSpoofer/SpoofB10S.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
StormSpoofer/StormSpoof.dll
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
StormSpoofer/StormSpoof.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
StormSpoofer/StormSpoofer.exe
Resource
win7-20230712-en
Behavioral task
behavioral8
Sample
StormSpoofer/StormSpoofer.exe
Resource
win10v2004-20230703-en
General
-
Target
StormSpoofer/StormSpoofer.exe
-
Size
2.0MB
-
MD5
0071a5ec31891617ed9b292f018987b1
-
SHA1
82a16959d85bcd1fa2b0becd02e7896e0d297fe3
-
SHA256
d8533aecec0559761692a9ae4f2b42f9ce45df326edb8a76b90ef6aa60ea2336
-
SHA512
4d749da4d360449739fe0d6a6e74186ab6cea0e7a73627a947715640014cf3e018cff693a39d39c805ea774a97974aff8e45d7aeed22557fe21678e81bc5f19e
-
SSDEEP
49152:M4/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2A:F/zXjaL4ZMHbLjQElAcfMDz
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral7/memory/2432-53-0x0000000000EC0000-0x00000000010D2000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2432 StormSpoofer.exe 2432 StormSpoofer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2432 StormSpoofer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2392 2432 StormSpoofer.exe 29 PID 2432 wrote to memory of 2392 2432 StormSpoofer.exe 29 PID 2432 wrote to memory of 2392 2432 StormSpoofer.exe 29 PID 2392 wrote to memory of 2968 2392 cmd.exe 31 PID 2392 wrote to memory of 2968 2392 cmd.exe 31 PID 2392 wrote to memory of 2968 2392 cmd.exe 31 PID 2392 wrote to memory of 2740 2392 cmd.exe 32 PID 2392 wrote to memory of 2740 2392 cmd.exe 32 PID 2392 wrote to memory of 2740 2392 cmd.exe 32 PID 2392 wrote to memory of 2732 2392 cmd.exe 33 PID 2392 wrote to memory of 2732 2392 cmd.exe 33 PID 2392 wrote to memory of 2732 2392 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2968
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:2740
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:2732
-
-