Malware Analysis Report

2024-09-23 00:22

Sample ID 240511-pgnhtaae72
Target kdmapper_stealer.exe
SHA256 a302f5eb849f5873826ff3f2034075450430d65051809ca6489db3da754e3bea
Tags
rat default asyncrat stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a302f5eb849f5873826ff3f2034075450430d65051809ca6489db3da754e3bea

Threat Level: Known bad

The file kdmapper_stealer.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty spyware stealer

Stormkitty family

Async RAT payload

Asyncrat family

StormKitty

AsyncRat

StormKitty payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-11 12:18

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 12:18

Reported

2024-05-11 12:20

Platform

win7-20240508-en

Max time kernel

146s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\29330ef60ccd69e8cb35733b05a1e76f\Admin@PUMARTNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2824 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2824 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2824 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2824 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2824 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2824 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2824 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2824 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2824 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2824 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2824 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2896 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1820 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1820 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1820 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1820 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe

"C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2896-0-0x000000007440E000-0x000000007440F000-memory.dmp

memory/2896-1-0x0000000001320000-0x0000000001352000-memory.dmp

memory/2896-2-0x0000000074400000-0x0000000074AEE000-memory.dmp

memory/2896-69-0x0000000074400000-0x0000000074AEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab575D.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar57BD.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e51063800af06a8536bcbd6ea64443f5
SHA1 84d1c1d0ad5421d0344f4c5a77df9b22ce076ebe
SHA256 5152017459a90c2b92847bbeffd0a5e74086f4c0d0b0008b3457148b8d33cec3
SHA512 216bd3cd67ccb516e348d6d3a89307f8185ce64c49ba6aef540a345d324a4321bace1bda5d9b790eaa3d6a203b7175560a2f096644f39d035a84790aaa8be11a

C:\Users\Admin\AppData\Local\8b3b9bdc7c280226d75dc8511856493f\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2896-139-0x000000007440E000-0x000000007440F000-memory.dmp

memory/2896-140-0x0000000074400000-0x0000000074AEE000-memory.dmp

memory/2896-141-0x0000000074400000-0x0000000074AEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 12:18

Reported

2024-05-11 12:20

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
File created C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3516 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3516 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3516 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3516 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3516 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3516 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3516 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3516 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 864 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3112 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3112 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3112 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3112 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3112 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe

"C:\Users\Admin\AppData\Local\Temp\kdmapper_stealer.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/864-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

memory/864-1-0x0000000000200000-0x0000000000232000-memory.dmp

memory/864-2-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/864-3-0x0000000004C10000-0x0000000004C76000-memory.dmp

C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\09b35d32f5e5e6a44f6d74cb0b679a5c\Admin@SNFVGQLU_en-US\System\Process.txt

MD5 7d5c04d6ef3e87928e337ffa8e563754
SHA1 a8dd150f0e765a1771289a2fd759483364a8e3af
SHA256 f425c1c4eef58206fc2db1ebc2663299b13132ac154b95b2488930b75347dce2
SHA512 2ad363d9f3eab08b6e51543fcfd3026439028611b801b76a452e510234211899dc99646587c68ed73981d78b26e3f693ba1da4f1d46554ed18a34b28884bc6b0

memory/864-144-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/864-146-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/864-147-0x0000000005D70000-0x0000000006314000-memory.dmp

memory/864-151-0x0000000005830000-0x000000000583A000-memory.dmp

C:\Users\Admin\AppData\Local\0986c286fd2f72d085cc01e5df670c97\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/864-157-0x00000000752CE000-0x00000000752CF000-memory.dmp

memory/864-158-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/864-159-0x00000000752C0000-0x0000000075A70000-memory.dmp