stormkitty | 8d41693aaa810b87d9523a64abac0a0c21db7b9542fbf7fda917a99e4464f89f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

320KB
MD5

db2bbb44f30afac31f911fe16b9db58c
SHA1

e4f9728b0f771e61813132dfd10b245b2f0dc94c
SHA256

8d41693aaa810b87d9523a64abac0a0c21db7b9542fbf7fda917a99e4464f89f
SHA512

acc12ca3f600e9105762114fa9224bccf4cdb1cfe02e364e3fdfbfe57aafcaa37b82af1e1929b47d9bf1db60cd7c239fbbfb4fea8fb2945b70d51edca8490f85
SSDEEP

6144:/3/Q1Q5Ng68j/svuP8wSFUygWK0tWrcBOvn:/3/Q6P8j/svugtZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2152-1-0x0000000000A40000-0x0000000000A96000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

1.exe

description	ioc	process
File created	C:\ProgramData\UPNECVIU\FileGrabber\Desktop\desktop.ini	1.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Downloads\desktop.ini	1.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Pictures\desktop.ini	1.exe

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
18 ip-api.com
20 api.ipify.org
21 api.ipify.org
2 freegeoip.app
5 freegeoip.app
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

1.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org
18	ip-api.com
20	api.ipify.org
21	api.ipify.org
2	freegeoip.app
5	freegeoip.app

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1.exe

pid process

2152 1.exe
2152 1.exe
2152 1.exe
2152 1.exe
2152 1.exe
2152 1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1.exe

description pid process

Token: SeDebugPrivilege 2152 1.exe

pid	process
2152	1.exe
2152	1.exe
2152	1.exe
2152	1.exe
2152	1.exe
2152	1.exe

description	pid	process
Token: SeDebugPrivilege	2152	1.exe

outlook_office_path 1 IoCs

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

outlook_win_path 1 IoCs

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UPNECVIU\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Desktop\CheckpointMerge.xlsx

Filesize
13KB

MD5
571f79c22c24ac02c7ef5a2191af5823

SHA1
36a9685b02fceeb00d11f01ae5d51ee10e66db88

SHA256
2fa8f40deeb6a23ad77b533755690e70014efad7675528450a72feb2036d9c2c

SHA512
31681631648edf1f08c289f960bdb562506d13988638d90a17c8b07d51758fa0f57e4ad04157762281f22b3a8a4281f5836ba36041a4d54974593e8d53555dc1

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Desktop\GrantJoin.jpeg

Filesize
459KB

MD5
422685d445860a8e5433cc22031550ff

SHA1
19a042f140ca40ecd456e56bdc8574c1d5303ea4

SHA256
41eebe46f479b62da195e4ab6263e0fb966186432417d81ed38deddf2b394a8c

SHA512
152217f9680738556bc7cb68191183ae928e815625b8dc26c0732fa38fbe4ae4ff071eadf3e284eaa0f841d6ab522f0045b174ee2fc8166b1214a2fb79ad0e87

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Documents\ApproveSend.rtf

Filesize
860KB

MD5
3ea7e46dd187868cc6a82f21955c3610

SHA1
7dd32f206163e72ea77a850fc7ac1762d9b05b90

SHA256
7e1de484d3470f245d42aab6232fbaeae2b9beb1335c23a746626ce609e39c51

SHA512
aba3306d8af0e86fb8dd0e49647c759aae31e04ae15e13c64399861691e86835334b018c7fe85ef932ddb582bf9dbac8d278189f9164c6365436c5fefe9f50f9

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Documents\CopyExit.pdf

Filesize
923KB

MD5
4151d15fdb06b5cfe3dd574f6aa8da5b

SHA1
0f0051f64d78b84ab21ed8b9d2963817f40cb030

SHA256
c9cea117a260d665b3028dc907cfed9988fbb235886d2ad0962d24a536c42d99

SHA512
ddc61ecde4f5005aed3c4d10684de4ba4dab0b50e3fbf997e45fe48b9c385c32b73b077ec9021c2589948883586a12b706e4400b4133c8f7af2f7c327dd0272e

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Downloads\ExportImport.html

Filesize
874KB

MD5
f6b406e922e017ae772d40c81351c036

SHA1
d11fb1b7188b4e59084ed14774661d1514a7ea00

SHA256
620116f01f43f191bf20e81b197574369800b9202a3147e1f0a1f4f8c6364379

SHA512
a51ac3b4886a527187eb75a9f28d27bd819b468e933ac5f2e3f3ec8572633abd6328aa7d4d286aa5094fb31296bcb11af822ea9bfd13d983588e650ca7ba9c03

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Downloads\HideDeny.css

Filesize
837KB

MD5
3a7a2e902db654040ba666800d83b874

SHA1
f3c592455427ce7e683105a1a8bdf39bec8caba2

SHA256
d0b8eeb17f6d5b275694c9d2b27cd8cb2e940c59bd44a8edfc1df9dfbf47264f

SHA512
5ae58b60b61ba11681415c9d151dc1888a48bad7a54cfb76ad9fe767ea40d0f7b55728001c3e7ffa99a8a738b288bec3b00d504e53d844791dcdfacb27c36419

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Pictures\DenyFind.png

Filesize
131KB

MD5
4e889485d8949b339511c0de6fea08e4

SHA1
f55e6ac3f8d4bf29d1ba0f7c8cbe68c5a0f3c132

SHA256
faaba7d47c5f004e39c8135ec7a0c66954909004ed534555641bafbbbb1889dc

SHA512
64a2482b74e15aed1f94b2d8417365a1b787b5b7cff195a3b8741a8c0131dfe6e544011b99a3e630eb6217345c93e0a0e384dd2b08d3304472da231ebe2ee67f

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Pictures\RenameConvertTo.png

Filesize
184KB

MD5
960e319b21d1c76f1afaac9dbed19a76

SHA1
83579a4bea7ff40128d1abdcb6e81f6f3d19d41c

SHA256
834fbffdb3c217686808824223a936e2ec3cbab2015e01d2b674d764f977a6a8

SHA512
820257a807be672b9e87db76e5ea82047348504e6e95aad88df36ec9f30e2d8231bec4dcd97bf20d1fb076eea4418adc6a36f5df8557c17929dc7a9bbf3eca31

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Pictures\SuspendSwitch.png

Filesize
379KB

MD5
ad8a556216b464c7bbe6c8d16674febb

SHA1
dd6f91a78afd9c1cc64fde1e73b578e8659316ae

SHA256
e8f7d7e275111ea984fa5311807dff5885ca20502a0be15260cdb15e1fba98fc

SHA512
a0596113680818157d888164fd68df58bcf862d15862cfa62e4d4b904f23ea1188f273c00e999b1035f0d53947bed4df87e230532c6f79998aad8be92ec2930f

Download Submit
memory/2152-2-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-1-0x0000000000A40000-0x0000000000A96000-memory.dmp

Filesize
344KB

Download
memory/2152-0-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/2152-165-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/2152-166-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-192-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download