stormkitty | 0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82

Analysis

max time kernel
362s
max time network
887s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-10-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Find Wallet v3.2-Crack.exe
Size

3.5MB
MD5

68f929dc1286bf7af65bf056845f9b42
SHA1

1f1d9848811b3c00066f8be86035fda994ceedfd
SHA256

0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
SHA512

d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
SSDEEP

24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Client.exe	family_stormkitty
behavioral2/memory/332-17-0x0000000000ED0000-0x0000000000F26000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

Processes:

Client.exeFind Wallet v3.2-Crack.exe

pid process

332 Client.exe
1560 Find Wallet v3.2-Crack.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\ProgramData\YBQDFVLH\FileGrabber\Desktop\desktop.ini	Client.exe
File opened for modification	C:\ProgramData\YBQDFVLH\FileGrabber\Desktop\desktop.ini	Client.exe
File created	C:\ProgramData\YBQDFVLH\FileGrabber\Documents\desktop.ini	Client.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
1 freegeoip.app
3 freegeoip.app
17 api.ipify.org
18 api.ipify.org
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
19	ip-api.com
1	freegeoip.app
3	freegeoip.app
17	api.ipify.org
18	api.ipify.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Find Wallet v3.2-Crack.exeClient.exeFind Wallet v3.2-Crack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Client.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

Client.exe

pid	process
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe
332	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 332 Client.exe

description	pid	process
Token: SeDebugPrivilege	332	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Find Wallet v3.2-Crack.exe

description	pid	process	target process
PID 4160 wrote to memory of 332	4160	Find Wallet v3.2-Crack.exe	Client.exe
PID 4160 wrote to memory of 332	4160	Find Wallet v3.2-Crack.exe	Client.exe
PID 4160 wrote to memory of 332	4160	Find Wallet v3.2-Crack.exe	Client.exe
PID 4160 wrote to memory of 1560	4160	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 4160 wrote to memory of 1560	4160	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 4160 wrote to memory of 1560	4160	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe

outlook_office_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

outlook_win_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:332
- C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe
  "C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YBQDFVLH\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Desktop\MergeGet.doc

Filesize
710KB

MD5
c6af739734599b00a2f016907810baf4

SHA1
a69512077197cb823701bf1e19f4fec8d138eed8

SHA256
3783ab69a3923413f54d63c6f80ba8a1ffe8c8813ca6dfb1e5e2a8ff60953a07

SHA512
2c91009e1d89002d51cfca23ce6885388122e42e1e9aafc4ccebcdcfe69a05942cc00ab510fa5aa01108605d5cdf0572619716c86160d9239da93e8cc5f03a5b

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Desktop\ResumeConvertFrom.doc

Filesize
888KB

MD5
b187069f7c80830671986b842522b771

SHA1
260d8aaadbc42b59f058319ebe181bec8f39e71d

SHA256
ffa14dd0cda790483877e7b4950af7d9abfa7f380e7ddb4413d44289544644c2

SHA512
2ad755693f3dcdc0e623f704d9164ccc65a772e00c1965e36e6fd200887035f878ea932d0750cd532980ed990da58199a05af5c22186dacbb2ea7c51decba005

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Documents\FormatCheckpoint.html

Filesize
600KB

MD5
c80fa5231928fc074d3953d5ceb3b662

SHA1
56d3aa4ddee8086e83ed5b3372b4af0d8b46f6b8

SHA256
42fbcc361c34fbaf60ac3122244856d961b9fd5f3513d460096215f90b724ce5

SHA512
b179b6beb714bbf56102ff85a26d7534a0bb44ff2e88a36c1dfe00bfd2e73037b927ae314898744097fdf9752683a77b31b8c83cdd11709dbda911956a0e9e88

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Documents\JoinInitialize.ppt

Filesize
577KB

MD5
b2f78169bbe3dad3f75ecaadcf7382a0

SHA1
48e93be9775a737e43d8e5787c738e3661bf86de

SHA256
1562bb40f3715ea20333bb06dbf1cdedea778cd40afee161d4e3bb9dd390c653

SHA512
ba981b1ba8fdffc5b61b3d42e58b01c0a433b2ef5ea1e0b8fdd7726e46b777ff0ecddc0eb6bf24ed834fe75f2dbc9c10b48d6e6ef5b8d084cafb8a0697c0dacb

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Downloads\BlockResize.jpg

Filesize
398KB

MD5
d5a2b68ac9a2ce14148975da36c08ac3

SHA1
2589780a8b0f899679da80dcd90124da730d42cb

SHA256
3bd4e267f06090b00ee731f57411a9453fb261c153a13a581773d57cbf621e21

SHA512
ca2d0928810e47b64d3e9cd29ea4712fad4167644524271d7210bad90bb183449fc82bb9092a8722f65cf1bb33e4a582a598132437b1065e4d49af038d6a9dc4

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Downloads\CompleteWrite.docx

Filesize
1.0MB

MD5
556093cf3bafc472bc4106292438619e

SHA1
c0269c9a64585343a14d2859a00d2013a2b10e92

SHA256
c1718e3b0a473dc07f6040d933bcfb07ca070659abc3d2b3d70dc61c1d4a0c41

SHA512
2cb8d8de5eda314e7dbc897726d70319776b98c9ced4f19dcd33bb31959bead73a145c102343e217847f79ca63a4dcd72433ab3c4a8c1ccfe14a466e46008e45

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Pictures\AddRevoke.svg

Filesize
309KB

MD5
0e102c3093de5c3e8a37290aa9804b35

SHA1
19aeef82682a5ffa04177c45895a20ae02be72db

SHA256
9e791fcc5c9d026d50ab70727909a28ed70576e39457751907b3d996a472ec5b

SHA512
f81e49f880fa0f08a1fb39b7e29e1bcf87e64c5e49d6f8f2f0a0fd762ac2b658548e3728d4cf1d1bf3bb4b501a4d195998a2e377aa04332cd8d8da4a058c9455

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Pictures\BackupResume.bmp

Filesize
201KB

MD5
999c203862bfa4c707bcc2986b6ca932

SHA1
3bb85cc44a0f36e38bba6cace3c3a40904dd04fa

SHA256
5ce2cf643b930e687d05e00a95d636a87eeb819c36739a12557b837734cca068

SHA512
d436528f7f8bb274f90f51e7a66d866bd6a4526ea3eaa21a87164d2adc436fef2c591ddf79a35c3369dd57793acb459d054518b7d339d15203a283290e806271

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Pictures\ConvertFromSave.png

Filesize
481KB

MD5
f37cf4cbd45a3aeee2384937b1675cc0

SHA1
8960962edf0ac79050bd2827dcadb37178915c9b

SHA256
30f31236d521dbf12715927ac9cb088dd9cbe68a020d97f49281ee59fe41fe99

SHA512
c89a61da56b0744e8c1b83774577a522b3e4b603881a3a2da805e62cd3a4e614d3739876889c8867fd404ba55fda107976fce3d1ac496b8d5550f76c980f6a9b

Download Submit
C:\ProgramData\YBQDFVLH\FileGrabber\Pictures\CopyPublish.bmp

Filesize
270KB

MD5
3f23ea9ddeee7fe87c2c6878dc65ca8f

SHA1
6e34068cf731c65cd2effcfe1001892c7ce77f82

SHA256
07d5a728190e6ecf1baf33072a4145256d0f88c78e7e1dc8d33d15f648cc170e

SHA512
b2fe49103f194afe86a18784044c6e6e1e72886b16db314456dc6c5c83c21b0413c45822bc86f62db6700229c36429776b0997055571875d7e748486b8aac23f

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
320KB

MD5
bc5da83795b587fb1dfce2d6bef2d176

SHA1
ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0

SHA256
d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb

SHA512
503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe

Filesize
3.0MB

MD5
c309cb9865dfc6dbb7f977f4c0f722c0

SHA1
b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9

SHA256
51472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5

SHA512
a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797

Download Submit
memory/332-54-0x0000000006E60000-0x0000000006EC6000-memory.dmp

Filesize
408KB

Download
memory/332-15-0x00000000710CE000-0x00000000710CF000-memory.dmp

Filesize
4KB

Download
memory/332-251-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/332-48-0x0000000006F40000-0x000000000743E000-memory.dmp

Filesize
5.0MB

Download
memory/332-47-0x00000000069A0000-0x0000000006A32000-memory.dmp

Filesize
584KB

Download
memory/332-19-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/332-226-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/332-17-0x0000000000ED0000-0x0000000000F26000-memory.dmp

Filesize
344KB

Download
memory/332-224-0x00000000710CE000-0x00000000710CF000-memory.dmp

Filesize
4KB

Download
memory/1560-16-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/1560-225-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/1560-18-0x00000000004B0000-0x00000000007C0000-memory.dmp

Filesize
3.1MB

Download
memory/1560-49-0x00000000084F0000-0x0000000008528000-memory.dmp

Filesize
224KB

Download
memory/4160-0-0x0000000073661000-0x0000000073662000-memory.dmp

Filesize
4KB

Download
memory/4160-14-0x0000000073660000-0x0000000073C10000-memory.dmp

Filesize
5.7MB

Download
memory/4160-2-0x0000000073660000-0x0000000073C10000-memory.dmp

Filesize
5.7MB

Download
memory/4160-1-0x0000000073660000-0x0000000073C10000-memory.dmp

Filesize
5.7MB

Download