stormkitty | 5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc

Analysis

max time kernel
136s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
Size

297KB
MD5

fb7bed457cb3d5be6c8b80f3105cc3d3
SHA1

0a60f5ca1e55b180ee0db151830c477d361aea3c
SHA256

5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc
SHA512

36d29cca7be2e416545273860e9a38d3df930d657bc39fba299dcee03138a52e5ca4292d4a5d3a4a3277582b24008c3edd225df341f81063b963ada438c7fd88
SSDEEP

6144:thiCNeUwAe6krgybO4Ef2z0Ysapo1y+S5ORiv:tTNeUwAr2hd0yZv

Score

10^/10

stormkitty collection credential_access discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1164-1-0x0000000000110000-0x0000000000160000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\desktop.ini	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
File created	C:\ProgramData\SYMRKCCU\FileGrabber\Documents\desktop.ini	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
File created	C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\desktop.ini	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
File created	C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\desktop.ini	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	freegeoip.app
8	freegeoip.app
44	api.ipify.org
45	api.ipify.org
46	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SYMRKCCU\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\ExitDebug.bmp

Filesize
626KB

MD5
99a2f8ba7264933185c8aee369dfda15

SHA1
a9520ecfb92ea89b3432a8471b92128e49ce4480

SHA256
b348698fca9263c51428990503332e9a47efc9bcfc4e7aa5a45ce1c267ce3bf8

SHA512
30d56c86bcfaa3e23c0f3429e9bb2832ebad9077291c3b2cf44466f57e4a97e7d55880d88ed7e7f351da008e682d36285eeaf716c632e6741ac5299c105601f5

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\LockConvert.css

Filesize
794KB

MD5
3c6a212347c8a065907832adb1811414

SHA1
2761be281a796ce6c34670d12d8d8055b9ce06dd

SHA256
96f18af72d3c963e711d616f6c4ea366a39ce3cbdf330e06a2ef9fa5a8b80b54

SHA512
281bf62fb35e46aa4b672810d19c5dcce4a36064b4e87d6a72fb4566ecd9c48adbdac80e231093338e1ca8026f509fcc4bd6cd3704095219caca0b1081cadb8b

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Documents\DebugRegister.html

Filesize
1.1MB

MD5
67de13d9586f91411aabdaa7f7c930c3

SHA1
4bbd4b64cca09be942f956ec637a89b4de48b084

SHA256
eb5c7bee2a78bea14b48ec9bd4a86ab2fe1ae4a59f08b06999345d02008c6345

SHA512
66688b48ed372ed5d78e66d257d983e6d049523f8df843c618ceda61bfb42adb3b3aa2afc6e7204cc4965e795c5aec0d4fdace9e8f6e9778757fb650c7639f77

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Documents\DisableSet.ppt

Filesize
370KB

MD5
10c994a4ce5e6f44ccc0a5918055cedc

SHA1
9d0dc01ddab4d38a194148a77ffa089900dcee69

SHA256
6dfccd7ecff8baf3dfe607f519797648c7db664c594948179a60d4f7b19451fa

SHA512
c9b765aa646c27804eb1b28c51135529012ca893552d7bd6ba523b6e32165c836c1135c932305f0405dce239f419a67286bf1cba4337c1b6b49ed3d0e0b92a81

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\DebugNew.css

Filesize
450KB

MD5
2e8de8c9133d237a8a073a2fff776206

SHA1
30dd9bd9fff33f274317bfe84eb74cfcf72297fa

SHA256
5d6b77d83e89e6e19ae655bbc7837ea0a795b1752dea0c4c1fad0b8d95c1a2c3

SHA512
2c8cc52cd9373569f9ce3ced2c6bf41b95f1ad74eb6d88d52907928f9588920f45a06ad1c5e3be99647c7bed14a468c31be8e11a79439e48487e17fa23606bbe

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\DismountSwitch.rtf

Filesize
339KB

MD5
09efc3da0c434f38d0c324809186b0d7

SHA1
5dc752505dad98e723effa3727491394658c5edd

SHA256
1b3f970ed052bc7afaa20f5e23a7a57eca5763ea5d9438708a57937ce83b226d

SHA512
16ee2183da5d8c8914ae60cbcf47f87b8274063ff6295df612cbe11735a1de339b54306f5b2ec08c3cbcaeabcd6c5bec0c75ae85c78665e7697ab83bd9155c13

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\ExitJoin.xls

Filesize
367KB

MD5
bcf592ea78eded349ce491523c28c40b

SHA1
9e38d1d744585907d75a9b61e4e26e2ec4e45887

SHA256
cc40782498ac1ed02f7209a9ed4ef939419de58a3fd48d578912129c8e038d75

SHA512
c77a21b766fe95dfd34e6a0fb0f0c62f3a3656b05cbeee80efb3ad9ddc5f0408b4777f53c0b5f66f32a0a227f947caeac8fa3bbc0d407700a5c025b91918a7cc

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\ReceiveLock.docx

Filesize
844KB

MD5
cb4786685752796b8e47184039d7e8b0

SHA1
5c3010c4d05fac6a72670d002b2fb29b1d9eea9f

SHA256
cef5125b80d6966043acdf24f5fe79ab155a7e624875f3c5f34985aef4904211

SHA512
96a96822324a3cc608c82d9d1f4be271f7c21978f47f51b3a6b7671593c27c7b36e64eae5034e1341d4f6709d3ad4649e0c8e89bf0ddfa73de26b0400164ece2

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\ConfirmMount.png

Filesize
191KB

MD5
bf6bbe18caffe562c12ba028bbd4f891

SHA1
fd7ab0b6d16c90e905a98591ee0cc712e557962a

SHA256
acca5bb42651a543967d68a42db5fdaecf06ad117f583e7940432e714619127b

SHA512
59fd383b232fbf6728f67dfb1ccd01e9459ef09909785fbaae1f93436373204e7a2fe697e492dca80806115117b8724b6d78842a06a1d69857816b1e00c78e04

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\EnableSelect.bmp

Filesize
248KB

MD5
e31cc6a064fdd714772e65052587e6f8

SHA1
50b96d29ecabd2d62650bb6e3fa727b15e646260

SHA256
67b6f546cc152f8016e169ad00a37aabd0200ed10d37a03dd50695adc1fbc5a9

SHA512
a0b1175fe0da2c61ce668d505d3897e10632284a302d9f96baca0366fe2af9d84521ca1e171e35ef8fc1e3456ec07939b2ea3e13ea15163db79d580bf7a8a78c

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\ExitUnpublish.png

Filesize
259KB

MD5
f02d4ae145c6dbe7955ed29bcf3bc85b

SHA1
bb7158d8a01081093b499d7f29196da7abac931a

SHA256
ab28b0899f3b1a180ee2cecc9d9b844090ee2ce024bec266b1cbd2e1f53e386c

SHA512
9a8186969002fab550bfcc2e6d7132e54353ab2154d39ce7d75ac87882257728a8a6a7aba531cd5ab7800e61e028ea2ed8970776238d3512baa0bf05546ec3ee

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\HideRestart.png

Filesize
149KB

MD5
d725f4ff05afbb6c0609dc0fc855daaf

SHA1
f9f00396c9c3e79f91c871a2a8a377fc4d187f00

SHA256
e04876417b246c3f86bce43dc4809026c339bc51e3edb4e870049ab2a452aa7c

SHA512
d4b47a48d1c1b48dd0d50486b6d1dec58782a317b19cd7f6ba10e4c0dfc0edf664260fda48be67732b66dbeea87fa526eae129969ee5bf81960d28940300d448

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\MeasureCompare.bmp

Filesize
222KB

MD5
931fec1b30038c40fdf4c4f54bb62b04

SHA1
79dc738a4b6971b3fbe9531d7ca7dac2826a6388

SHA256
999d3690c1936152ee8f3af961f8e240bf013d56deb8f24284c37c04896ff410

SHA512
0a6a5f01bced5b2c11296397a196944ae6c15f2da39ee55a2692b3e3234ad6b429ce15a751d14adb8d531d51c6e8cdb85999008ff77eb6317b8309b627a61615

Download Submit
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\PushResize.jpg

Filesize
264KB

MD5
8f967dfb021d3b014e15c55ea61f488a

SHA1
f7e2d1b5c61a87b49df84566823814a609829426

SHA256
6c5d7b7284ab99a805aeb3e0d0ef6198bbf0dee2b3c913a9529a312e3ebea156

SHA512
aa04dc4cc558f836f77352701aef7cf579abf8fe46153523728a7923f04c59ebebdd2cc9394ff66e8ef19a8137242101b5867347e78cb21c04d864dbb3a24250

Download Submit
C:\ProgramData\SYMRKCCU\Process.txt

Filesize
4KB

MD5
67a0e9a92b56fc48bfa1d1d6a046e05e

SHA1
340dcc7a95818370b2c165d3b6ee6de60d18c851

SHA256
e1559765cdb7af69be230dcb2bdab45c8f26f6d032942ad157c17d0489627175

SHA512
cb904edafb1dd5b62a96a413d7c2e38db15fa19d3c5f368d7f9f1a97a372519c4b9cc2c927f29b5738acc362d9e9cf5928985ae0dddb0e914ab5c7ebb56c00ba

Download Submit
memory/1164-36-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/1164-45-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/1164-2-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1164-37-0x0000000006490000-0x0000000006A34000-memory.dmp

Filesize
5.6MB

Download
memory/1164-164-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/1164-165-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1164-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/1164-1-0x0000000000110000-0x0000000000160000-memory.dmp

Filesize
320KB

Download
memory/1164-297-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download