stormkitty | 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86108d3bcc19fe774cc81b71494d31f9.exe
Size

320KB
MD5

86108d3bcc19fe774cc81b71494d31f9
SHA1

d936ce0c2f3ddc35f972c3a87fcaeb036412e009
SHA256

9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
SHA512

151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
SSDEEP

6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2748-1-0x0000000000F30000-0x0000000000F86000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	86108d3bcc19fe774cc81b71494d31f9.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	86108d3bcc19fe774cc81b71494d31f9.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	86108d3bcc19fe774cc81b71494d31f9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\desktop.ini	86108d3bcc19fe774cc81b71494d31f9.exe
File opened for modification	C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\desktop.ini	86108d3bcc19fe774cc81b71494d31f9.exe
File created	C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\desktop.ini	86108d3bcc19fe774cc81b71494d31f9.exe
File created	C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Downloads\desktop.ini	86108d3bcc19fe774cc81b71494d31f9.exe
File created	C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Pictures\desktop.ini	86108d3bcc19fe774cc81b71494d31f9.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
6	freegeoip.app
16	api.ipify.org
17	api.ipify.org
18	ip-api.com
20	api.ipify.org
21	api.ipify.org

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	86108d3bcc19fe774cc81b71494d31f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	86108d3bcc19fe774cc81b71494d31f9.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2748	86108d3bcc19fe774cc81b71494d31f9.exe
2748	86108d3bcc19fe774cc81b71494d31f9.exe
2748	86108d3bcc19fe774cc81b71494d31f9.exe
2748	86108d3bcc19fe774cc81b71494d31f9.exe
2748	86108d3bcc19fe774cc81b71494d31f9.exe
2748	86108d3bcc19fe774cc81b71494d31f9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	86108d3bcc19fe774cc81b71494d31f9.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	86108d3bcc19fe774cc81b71494d31f9.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	86108d3bcc19fe774cc81b71494d31f9.exe

C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe
"C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FCNAHWEI\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\TestShow.bmp

Filesize
745KB

MD5
6be6610c2b3065ae49bcd766f9e13833

SHA1
e3f7db2f769430bd9f2c282b884aebb3db3894e5

SHA256
3e94c6e63b99b0f468ed5778765af77acd28dd584ba2ff89724d8fbaaaebb2f4

SHA512
7efdd397ac5deeef0a4f761ac87442b95235b341fab857361ad123cee9b4d20f1d15861172af12bf81281409f559a3e8a82c343eddd219513080e67e55a8efdb

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\UnblockOut.xls

Filesize
670KB

MD5
665ecc65adb090ed7a4fada2696d595f

SHA1
5e9e27ee97bdc85ac30798246fe149a938cb8b7c

SHA256
02e5170e87c17f52097dd0ee294fba77a6eb45ceade798c816c6492ca5b275b7

SHA512
ea7fd4d5a521e700794af23836e54e27b509d2507a62a8a69100849f22fbdb721236cab9b3db1a7e741d374a18387e886f25a71636be98bb59e8a46fac678522

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\ClearConvertFrom.docx

Filesize
345KB

MD5
83325a5e5d76bf554820f170c64cd527

SHA1
408f30991bf57c6d0bfb7e3cb0ee41138cee9b74

SHA256
a6bfea2ac7491afbad243dadbde85f98ad03d3f460bc450141efeb9e06ecacde

SHA512
0fb5ee545989e6798b37b56245f2b4ce3c9f93cb85ed945a7eaa8897df3733af86f290a7d6aea0b30095cdfff70f35dfdaa74fc1e5f8fb939c6ab2c1bd847b84

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\CompareStop.rtf

Filesize
379KB

MD5
d1e04cb86911850f936adcb5fcd75857

SHA1
a05f5e81abf956fa7005142dc0a57bca6801875c

SHA256
5d5cb63b3a5f7a1694096c702cca596247f58d6b4e26234ed279d291bda82b9f

SHA512
3809caaaf839e346b7cf5f3eda9f87c36ae857ec41782e8ce7aed1cecb757695ed6ae71764b3e247eae610606aba087edab63e203f5c9abe590c17c62d010a38

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\MountSearch.doc

Filesize
564KB

MD5
af367a052c106e968e1edad46a802c4b

SHA1
04f3958a69405c0ff3ee38ab3835149a27fd057e

SHA256
e85d963321ce1affafd1dc3aad3a7652acd9fb2b6835411874784b3d1256f0a0

SHA512
3a6088686641bb81eda3325ddb8fd2315e3b0a8a70d50e9d6868b24f2300edd825d5add4c5112e535a39c9d575a4d4f445993a7b094923ed389cb175c5673fcd

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Downloads\LimitEdit.rtf

Filesize
476KB

MD5
a710a7003cbdf2cce9e909c36ca9fab9

SHA1
4ec72ad90c14da10524548613fd9cf190cf0a235

SHA256
493e12a1f3475fa09848ecdaf515c067a24ed4ba2da10d7a13da501dc9e1db77

SHA512
cea0451c62fb8a9099dd4578067758bf6de2d1123e2b4a7c6d5ea781a8fe80f1d91739919899d5efd7040154d04079560292b6c5e54bd64470e3c9cb9961515b

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Downloads\TraceSubmit.docx

Filesize
566KB

MD5
33326076131619648edf0ab377887ff0

SHA1
52c7b748a8cfe611e50863b16f21a9e874d7d018

SHA256
836ecb1e1c0def49d08aab15322cc19c1a4ee09d8238d983db942833600d0bb4

SHA512
61f53757b12e38a1070f241206b8003a346d963f0fa2df0d03edbc81c4dcdbbf6c53721d2a5fa3b33595e8d9950a759e93123fddf302e6691543c0d178e38a51

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Pictures\ConvertToMount.bmp

Filesize
819KB

MD5
aab529f552f3ed521ec390061994e188

SHA1
ffab5ced3140dba286387d4564fabdab3ad9e2ca

SHA256
0bd704fbc48e625d2500c990a10f8015dbbb2620b560ae3106a0c4b8f4492ec9

SHA512
a5e68bf67a9ba1b7ad6957e25bd82a9ff1fec6166f8f5c2c054204f6878d59c00f5d29bea00774e4269db8670056988b42daa93216f6705a58fa1ebaaa51a8dc

Download Submit
C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Pictures\ExitReceive.png

Filesize
420KB

MD5
0913f640d2c9a5ba6731f425d28803b0

SHA1
b2e41bed1d17709e2ddb4bf0fcf9ddc96b4a517f

SHA256
6d063400fdb236570f2f4a154fd11808c9dfde6fae9bb5e3887caa4a478cf86b

SHA512
fdd6454e440c018538764d4aefa137f6236489c4238adba63399a815fe3dd0a3f0985b0f888fcdec2e751a11455f8790d0100129ad0c74e66062fec8697b2131

Download Submit
memory/2748-2-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-1-0x0000000000F30000-0x0000000000F86000-memory.dmp

Filesize
344KB

Download
memory/2748-0-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/2748-176-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download