Malware Analysis Report

2025-01-03 06:40

Sample ID 230814-qlv9wseb8v
Target StormSpoofer.rar
SHA256 b0a4e447d41c4e1fe3b1105125814d4210332c70c743bef134077b7000bf1701
Tags
stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0a4e447d41c4e1fe3b1105125814d4210332c70c743bef134077b7000bf1701

Threat Level: Known bad

The file StormSpoofer.rar was found to be: Known bad.

Malicious Activity Summary

stormkitty spyware stealer

Stormkitty family

StormKitty

StormKitty payload

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Program crash

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-14 13:21

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win10v2004-20230703-en

Max time kernel

117s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\StormSpoofer\HwidSpoof.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c7eaf13-fbd6-4ed8-ac79-fb12fcd71326}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c7eaf13-fbd6-4ed8-ac79-fb12fcd71326} C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\StormSpoofer\HwidSpoof.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win7-20230712-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\SpoofB10S.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\SpoofB10S.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win7-20230712-en

Max time kernel

119s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\StormSpoofer\HwidSpoof.dll

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\StormSpoofer\HwidSpoof.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win10v2004-20230703-en

Max time kernel

140s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\SpoofB10S.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\SpoofB10S.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 404 -p 3264 -ip 3264

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3264 -s 332

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.131.241.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.132.255.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win7-20230712-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoof.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoof.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoof.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoof.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win7-20230712-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 www.toptal.com udp
US 104.18.28.213:443 www.toptal.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/2432-53-0x0000000000EC0000-0x00000000010D2000-memory.dmp

memory/2432-54-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/2432-55-0x00000000005B0000-0x0000000000630000-memory.dmp

memory/2432-56-0x0000000000160000-0x000000000016A000-memory.dmp

memory/2432-57-0x0000000000170000-0x000000000018A000-memory.dmp

memory/2432-60-0x00000000003F0000-0x0000000000416000-memory.dmp

memory/2432-61-0x0000000000D50000-0x0000000000DE0000-memory.dmp

memory/2432-74-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-08-14 13:21

Reported

2023-08-14 13:24

Platform

win10v2004-20230703-en

Max time kernel

124s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 2852 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 4552 wrote to memory of 3792 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4552 wrote to memory of 3792 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4552 wrote to memory of 1324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4552 wrote to memory of 1324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4552 wrote to memory of 3648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4552 wrote to memory of 3648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2852 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 2852 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 648 wrote to memory of 4320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 648 wrote to memory of 4320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 648 wrote to memory of 4208 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 648 wrote to memory of 4208 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 648 wrote to memory of 1668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 648 wrote to memory of 1668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\system32\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.130.241.8.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.toptal.com udp
US 104.18.28.213:443 www.toptal.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 213.28.18.104.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.132.255.8.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/2852-133-0x0000000000AC0000-0x0000000000CD2000-memory.dmp

memory/2852-134-0x0000000002EA0000-0x0000000002EBA000-memory.dmp

memory/2852-135-0x00007FFA12E30000-0x00007FFA138F1000-memory.dmp

memory/2852-136-0x000000001BA80000-0x000000001BA90000-memory.dmp

memory/2852-139-0x000000001D630000-0x000000001D6A6000-memory.dmp

memory/2852-152-0x000000001C1C0000-0x000000001C1D2000-memory.dmp

memory/2852-153-0x000000001C220000-0x000000001C25C000-memory.dmp

memory/2852-155-0x00007FFA12E30000-0x00007FFA138F1000-memory.dmp