stormkitty | ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58

General

Target

ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
Size

232KB
MD5

3bb8fb0d40b5535cf7675b6689df20f3
SHA1

7117979d998ca9086f2a2033363d825339aa666d
SHA256

ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58
SHA512

5c5e7d4f415b5385359b2371a61fdc59a55a60c9434f37e45279281a68bf0fb7ae6c830b446914c76f67d12d90c0b833e498574e5a3dbebe9b3ee38e4b64c4aa
SSDEEP

6144:FMyNsfjEFOUFOEnrfL3m1itUbcyEAmg+T:FMH6XZLyEAmDT

Score

10^/10

stormkitty persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2344-1-0x00000000000C0000-0x0000000000100000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeSecurityPrivilege	1088	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2468	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe	29
PID 2344 wrote to memory of 2468	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe	29
PID 2344 wrote to memory of 2468	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe	29
PID 2468 wrote to memory of 2848	2468	cmd.exe	31
PID 2468 wrote to memory of 2848	2468	cmd.exe	31
PID 2468 wrote to memory of 2848	2468	cmd.exe	31
PID 2468 wrote to memory of 1340	2468	cmd.exe	32
PID 2468 wrote to memory of 1340	2468	cmd.exe	32
PID 2468 wrote to memory of 1340	2468	cmd.exe	32
PID 2468 wrote to memory of 2280	2468	cmd.exe	33
PID 2468 wrote to memory of 2280	2468	cmd.exe	33
PID 2468 wrote to memory of 2280	2468	cmd.exe	33
PID 2344 wrote to memory of 1516	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe	35
PID 2344 wrote to memory of 1516	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe	35
PID 2344 wrote to memory of 1516	2344	ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe	35
PID 1516 wrote to memory of 2752	1516	cmd.exe	37
PID 1516 wrote to memory of 2752	1516	cmd.exe	37
PID 1516 wrote to memory of 2752	1516	cmd.exe	37
PID 1516 wrote to memory of 2776	1516	cmd.exe	38
PID 1516 wrote to memory of 2776	1516	cmd.exe	38
PID 1516 wrote to memory of 2776	1516	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2848
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1340
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2752
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\System\Apps.txt

Filesize
6KB

MD5
41cd827edadbcf3f676580c580c1dc03

SHA1
4e99509e7dc0b1ed6cc5306241b58b2ccbc8948b

SHA256
1d270899f548088968bebea9d32c8c0f23dfe59ff6e61ccc3b38d995cf001389

SHA512
087c36e68cfd5bc6898859a194ef1b63156bff6b5cd59f872dd6d48e281b558f2d7aa46a934c4da902315b361bee8cbe1b993525b4f5783e455944a55da89d0b

Download Submit
C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\System\Process.txt

Filesize
677B

MD5
49d5468d6911ae063af03e934dabeb09

SHA1
7ff9ca74df83368c2952aef8e11569707bfb244a

SHA256
b1f4a1cfa116725b97eda7eed12e03cdc18d84ec6379ad214d8ac4bba93eddca

SHA512
4dddc1fee58b2c0ccd27b5ccc1022d6d72bb9df6810bb28ccb31f1b0cea80eb13951bb6419bea099b5d481ba9556438fcfffe47783f22fb81e72c62c371b68cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.log

Filesize
14KB

MD5
4a99b64c01ed0b6a4b0f64baeb104369

SHA1
ecd2703b41781d3247c6bfe2e9317d669c1c9bbf

SHA256
5fdf704d0a3eab008cef143c64fdb8934ba1e9f6a5251c961bd3705ccfc36757

SHA512
d7d6e47288c61cf39130e41a0867277999ee67d28d61b4c45cb707f3b53cfb2ef069d86f04d3f7228665a2ba295044693d5b0f44baa7f7322787389cee48727b

Download Submit
memory/2344-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/2344-2-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2344-73-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2344-153-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/2344-154-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2344-155-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads