stormkitty | e3d91cacfa390bbc7a27ba4a25005569eda0033ac5a3c7b83328be80dbde747b

General

Target

RaccoonStealerINJUANKANAL.exe
Size

566KB
MD5

112d2c4d2578955d04e3eb771dd938e2
SHA1

d4f7a591ca4b073d96256860637fcc808a369ba8
SHA256

e3d91cacfa390bbc7a27ba4a25005569eda0033ac5a3c7b83328be80dbde747b
SHA512

72aaffcd1f3ca17be585259c9bf355615d24730773e720dbcf73810c92c8916a23a626d053ba1ebdf81efc4b5e6c283699990d5de6b1752b2df59f72ed8eb122
SSDEEP

12288:zwPBfv9vnnK4XFzOpElcxsIDjlk9SUEtssDDND1:MD/K4X0pej8j+9OSU

Score

10^/10

stormkitty discovery persistence stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4428-4-0x000000001BC50000-0x000000001BCD0000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Builder.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe	family_stormkitty
behavioral2/memory/184-47-0x0000000000080000-0x00000000000CE000-memory.dmp	family_stormkitty
behavioral2/memory/184-50-0x0000000002690000-0x0000000002704000-memory.dmp	family_stormkitty
behavioral2/memory/2396-55-0x0000000000430000-0x000000000043E000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RaccoonStealerINJUANKANAL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	RaccoonStealerINJUANKANAL.exe

Executes dropped EXE 4 IoCs

Processes:

WindowsDataC.exeStormKittyBuild.exeRunIt.exeBuilder.exe

pid process

3832 WindowsDataC.exe
184 StormKittyBuild.exe
2684 RunIt.exe
2396 Builder.exe

pid	process
3832	WindowsDataC.exe
184	StormKittyBuild.exe
2684	RunIt.exe
2396	Builder.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RunIt.exeRaccoonStealerINJUANKANAL.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rnts.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rnts.exe"	RunIt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataC.exe = "C:\\ProgramData\\WindowsDataC.exe"	RaccoonStealerINJUANKANAL.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

22 raw.githubusercontent.com
23 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com

flow	ioc
20	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RunIt.exeBuilder.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunIt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

StormKittyBuild.exe

pid process

184 StormKittyBuild.exe
184 StormKittyBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

StormKittyBuild.exe

description pid process

Token: SeDebugPrivilege 184 StormKittyBuild.exe

pid	process
184	StormKittyBuild.exe
184	StormKittyBuild.exe

description	pid	process
Token: SeDebugPrivilege	184	StormKittyBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RaccoonStealerINJUANKANAL.exe

description	pid	process	target process
PID 4428 wrote to memory of 3832	4428	RaccoonStealerINJUANKANAL.exe	WindowsDataC.exe
PID 4428 wrote to memory of 3832	4428	RaccoonStealerINJUANKANAL.exe	WindowsDataC.exe
PID 4428 wrote to memory of 184	4428	RaccoonStealerINJUANKANAL.exe	StormKittyBuild.exe
PID 4428 wrote to memory of 184	4428	RaccoonStealerINJUANKANAL.exe	StormKittyBuild.exe
PID 4428 wrote to memory of 2396	4428	RaccoonStealerINJUANKANAL.exe	Builder.exe
PID 4428 wrote to memory of 2396	4428	RaccoonStealerINJUANKANAL.exe	Builder.exe
PID 4428 wrote to memory of 2396	4428	RaccoonStealerINJUANKANAL.exe	Builder.exe
PID 4428 wrote to memory of 2684	4428	RaccoonStealerINJUANKANAL.exe	RunIt.exe
PID 4428 wrote to memory of 2684	4428	RaccoonStealerINJUANKANAL.exe	RunIt.exe
PID 4428 wrote to memory of 2684	4428	RaccoonStealerINJUANKANAL.exe	RunIt.exe

C:\Users\Admin\AppData\Local\Temp\RaccoonStealerINJUANKANAL.exe
"C:\Users\Admin\AppData\Local\Temp\RaccoonStealerINJUANKANAL.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\ProgramData\WindowsDataC.exe
  "C:\ProgramData\WindowsDataC.exe"
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:184
- C:\Users\Admin\AppData\Local\Temp\RunIt.exe
  "C:\Users\Admin\AppData\Local\Temp\RunIt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsDataC.exe

Filesize
566KB

MD5
112d2c4d2578955d04e3eb771dd938e2

SHA1
d4f7a591ca4b073d96256860637fcc808a369ba8

SHA256
e3d91cacfa390bbc7a27ba4a25005569eda0033ac5a3c7b83328be80dbde747b

SHA512
72aaffcd1f3ca17be585259c9bf355615d24730773e720dbcf73810c92c8916a23a626d053ba1ebdf81efc4b5e6c283699990d5de6b1752b2df59f72ed8eb122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Builder.exe

Filesize
40KB

MD5
766b531d3ea87df07f4a30478e0b6fea

SHA1
3a723efa352eff3421bb1a6fbee9aac3c68a56bd

SHA256
d3cf46a48919b2e21163ec3a38b3212eb2a130c0c58e9797590d0ef1767583d8

SHA512
a8ba8f652cf030daad7ef4971b41253cfe57717b70c4aeed0ce1689a73d6d92562185e9b9aa672f6da1ce4ab476b152d08026060ed41d1b97f19044c135b4742

Download Submit
C:\Users\Admin\AppData\Local\Temp\RunIt.exe

Filesize
143KB

MD5
d067619856f7f3079375960f62b99369

SHA1
964d548557dec3aa8e851526b71adca4b4ddbfd5

SHA256
9770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9

SHA512
1ec891082ac133833217ce8314f6d163451c5554b789cbf8a5ff0d5ebd0b55a7ec49ea5c408bf784e6952a37526de9e77e6c39b9a4ea3b950c3fda44e7f973b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe

Filesize
302KB

MD5
96c3df8d899558286dc9718cd94a680a

SHA1
aec23b5649301dc1642cc35ac01a261b9afccfc8

SHA256
1cba57cf25eca5211c78a90680c64b01d4b08ce191834f3dd6716c6435b4d869

SHA512
de23986e8ec4fb2f75142fe539fb1e201306e812947b2c05fb6d9ce1303db37c07516e7694839f2f657c5ecb358dcb8a5f8668a8c4f1932dbfb0911c379b8681

Download Submit
memory/184-50-0x0000000002690000-0x0000000002704000-memory.dmp

Filesize
464KB

Download
memory/184-65-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/184-52-0x0000000000980000-0x0000000000986000-memory.dmp

Filesize
24KB

Download
memory/184-47-0x0000000000080000-0x00000000000CE000-memory.dmp

Filesize
312KB

Download
memory/184-51-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-55-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2684-54-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/2684-58-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/2684-59-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/2684-56-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/2684-57-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/3832-66-0x000000001B460000-0x000000001B609000-memory.dmp

Filesize
1.7MB

Download
memory/3832-48-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-64-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-4-0x000000001BC50000-0x000000001BCD0000-memory.dmp

Filesize
512KB

Download
memory/4428-0-0x00007FFD2AFF3000-0x00007FFD2AFF5000-memory.dmp

Filesize
8KB

Download
memory/4428-61-0x00007FFD2AFF3000-0x00007FFD2AFF5000-memory.dmp

Filesize
8KB

Download
memory/4428-62-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-63-0x000000001B950000-0x000000001BAF9000-memory.dmp

Filesize
1.7MB

Download
memory/4428-2-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-3-0x00007FFD2AFF0000-0x00007FFD2BAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-1-0x0000000000BD0000-0x0000000000C66000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads