stormkitty | 25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42 | Triage

Sharing

General

Target

de7711ff0df1b36bd31f32f15843905b_JaffaCakes118
Size

842KB
Sample

240913-tfayjswhqc
MD5

de7711ff0df1b36bd31f32f15843905b
SHA1

abd7c78b184f42525f0d7b53ba829e8f81bd2134
SHA256

25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42
SHA512

fa154ea9e1bad8e71434dc4ccef5182fd5eb93880e7fb10ca95da8399edcfcccc52d47cb78c17a0514bf15ca667865030519cf7c3be85b0494e6f9b83bc95428
SSDEEP

12288:JuC9eHN8vWHXsYIugb+94LlvTyFLPkZqVQV3309b+Z2x2G4Q4UFfHak3sD8H7:QCQH2TYqtBTfZqVQBY2Gv4UFfHH328b

Score

10^/10

stormkitty collection credential_access discovery persistence privilege_escalation stealer

Malware Config

Targets

- Target
  
  de7711ff0df1b36bd31f32f15843905b_JaffaCakes118
- Size
  
  842KB
- MD5
  
  de7711ff0df1b36bd31f32f15843905b
- SHA1
  
  abd7c78b184f42525f0d7b53ba829e8f81bd2134
- SHA256
  
  25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42
- SHA512
  
  fa154ea9e1bad8e71434dc4ccef5182fd5eb93880e7fb10ca95da8399edcfcccc52d47cb78c17a0514bf15ca667865030519cf7c3be85b0494e6f9b83bc95428
- SSDEEP
  
  12288:JuC9eHN8vWHXsYIugb+94LlvTyFLPkZqVQV3309b+Z2x2G4Q4UFfHak3sD8H7:QCQH2TYqtBTfZqVQBY2Gv4UFfHH328b
Score

10^/10

stormkitty collection credential_access discovery persistence privilege_escalation stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Process Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

stormkittycollectioncredential_accessdiscoverypersistenceprivilege_escalationstealer

behavioral2

stormkittycollectioncredential_accessdiscoverypersistenceprivilege_escalationstealer