stormkitty | e3d91cacfa390bbc7a27ba4a25005569eda0033ac5a3c7b83328be80dbde747b

General

Target

RaccoonStealerINJUANKANAL.exe
Size

566KB
MD5

112d2c4d2578955d04e3eb771dd938e2
SHA1

d4f7a591ca4b073d96256860637fcc808a369ba8
SHA256

e3d91cacfa390bbc7a27ba4a25005569eda0033ac5a3c7b83328be80dbde747b
SHA512

72aaffcd1f3ca17be585259c9bf355615d24730773e720dbcf73810c92c8916a23a626d053ba1ebdf81efc4b5e6c283699990d5de6b1752b2df59f72ed8eb122
SSDEEP

12288:zwPBfv9vnnK4XFzOpElcxsIDjlk9SUEtssDDND1:MD/K4X0pej8j+9OSU

Score

10^/10

stormkitty discovery persistence stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral1/memory/2792-4-0x0000000000630000-0x00000000006B0000-memory.dmp	family_stormkitty
behavioral1/files/0x0007000000016d69-13.dat	family_stormkitty
behavioral1/files/0x0008000000016d6d-14.dat	family_stormkitty
behavioral1/memory/2604-19-0x000000013F6A0000-0x000000013F6EE000-memory.dmp	family_stormkitty
behavioral1/memory/2604-31-0x0000000000570000-0x00000000005E4000-memory.dmp	family_stormkitty
behavioral1/memory/2956-32-0x0000000000CA0000-0x0000000000CAE000-memory.dmp	family_stormkitty

Executes dropped EXE 5 IoCs

pid	Process
2956	Builder.exe
2604	StormKittyBuild.exe
2236	WindowsDataC.exe
2356	RunIt.exe
1100	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2792	RaccoonStealerINJUANKANAL.exe
1100	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataC.exe = "C:\\ProgramData\\WindowsDataC.exe"	RaccoonStealerINJUANKANAL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rnts.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rnts.exe"	RunIt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
8	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunIt.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2604	StormKittyBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	StormKittyBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2956	2792	RaccoonStealerINJUANKANAL.exe	30
PID 2792 wrote to memory of 2956	2792	RaccoonStealerINJUANKANAL.exe	30
PID 2792 wrote to memory of 2956	2792	RaccoonStealerINJUANKANAL.exe	30
PID 2792 wrote to memory of 2956	2792	RaccoonStealerINJUANKANAL.exe	30
PID 2792 wrote to memory of 2604	2792	RaccoonStealerINJUANKANAL.exe	32
PID 2792 wrote to memory of 2604	2792	RaccoonStealerINJUANKANAL.exe	32
PID 2792 wrote to memory of 2604	2792	RaccoonStealerINJUANKANAL.exe	32
PID 2792 wrote to memory of 2236	2792	RaccoonStealerINJUANKANAL.exe	33
PID 2792 wrote to memory of 2236	2792	RaccoonStealerINJUANKANAL.exe	33
PID 2792 wrote to memory of 2236	2792	RaccoonStealerINJUANKANAL.exe	33
PID 2792 wrote to memory of 2356	2792	RaccoonStealerINJUANKANAL.exe	34
PID 2792 wrote to memory of 2356	2792	RaccoonStealerINJUANKANAL.exe	34
PID 2792 wrote to memory of 2356	2792	RaccoonStealerINJUANKANAL.exe	34
PID 2792 wrote to memory of 2356	2792	RaccoonStealerINJUANKANAL.exe	34

C:\Users\Admin\AppData\Local\Temp\RaccoonStealerINJUANKANAL.exe
"C:\Users\Admin\AppData\Local\Temp\RaccoonStealerINJUANKANAL.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\ProgramData\WindowsDataC.exe
  "C:\ProgramData\WindowsDataC.exe"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\RunIt.exe
  "C:\Users\Admin\AppData\Local\Temp\RunIt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsDataC.exe

Filesize
566KB

MD5
112d2c4d2578955d04e3eb771dd938e2

SHA1
d4f7a591ca4b073d96256860637fcc808a369ba8

SHA256
e3d91cacfa390bbc7a27ba4a25005569eda0033ac5a3c7b83328be80dbde747b

SHA512
72aaffcd1f3ca17be585259c9bf355615d24730773e720dbcf73810c92c8916a23a626d053ba1ebdf81efc4b5e6c283699990d5de6b1752b2df59f72ed8eb122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Builder.exe

Filesize
40KB

MD5
766b531d3ea87df07f4a30478e0b6fea

SHA1
3a723efa352eff3421bb1a6fbee9aac3c68a56bd

SHA256
d3cf46a48919b2e21163ec3a38b3212eb2a130c0c58e9797590d0ef1767583d8

SHA512
a8ba8f652cf030daad7ef4971b41253cfe57717b70c4aeed0ce1689a73d6d92562185e9b9aa672f6da1ce4ab476b152d08026060ed41d1b97f19044c135b4742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab899C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RunIt.exe

Filesize
143KB

MD5
d067619856f7f3079375960f62b99369

SHA1
964d548557dec3aa8e851526b71adca4b4ddbfd5

SHA256
9770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9

SHA512
1ec891082ac133833217ce8314f6d163451c5554b789cbf8a5ff0d5ebd0b55a7ec49ea5c408bf784e6952a37526de9e77e6c39b9a4ea3b950c3fda44e7f973b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar899F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

Filesize
302KB

MD5
96c3df8d899558286dc9718cd94a680a

SHA1
aec23b5649301dc1642cc35ac01a261b9afccfc8

SHA256
1cba57cf25eca5211c78a90680c64b01d4b08ce191834f3dd6716c6435b4d869

SHA512
de23986e8ec4fb2f75142fe539fb1e201306e812947b2c05fb6d9ce1303db37c07516e7694839f2f657c5ecb358dcb8a5f8668a8c4f1932dbfb0911c379b8681

Download Submit
memory/2236-23-0x00000000001E0000-0x0000000000276000-memory.dmp

Filesize
600KB

Download
memory/2356-33-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/2604-19-0x000000013F6A0000-0x000000013F6EE000-memory.dmp

Filesize
312KB

Download
memory/2604-144-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-18-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-34-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2604-31-0x0000000000570000-0x00000000005E4000-memory.dmp

Filesize
464KB

Download
memory/2792-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2792-3-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-1-0x0000000001180000-0x0000000001216000-memory.dmp

Filesize
600KB

Download
memory/2792-88-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2792-89-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-4-0x0000000000630000-0x00000000006B0000-memory.dmp

Filesize
512KB

Download
memory/2956-32-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads