stormkitty | 0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82

General

Target

Find Wallet v3.2-Crack.exe
Size

3.5MB
MD5

68f929dc1286bf7af65bf056845f9b42
SHA1

1f1d9848811b3c00066f8be86035fda994ceedfd
SHA256

0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
SHA512

d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
SSDEEP

24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Client.exe	family_stormkitty
behavioral3/memory/4612-36-0x0000000000C60000-0x0000000000CB6000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Find Wallet v3.2-Crack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Find Wallet v3.2-Crack.exe

Executes dropped EXE 2 IoCs

Processes:

Client.exeFind Wallet v3.2-Crack.exe

pid process

4612 Client.exe
2964 Find Wallet v3.2-Crack.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\TEIQHMFC\FileGrabber\Desktop\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\TEIQHMFC\FileGrabber\Documents\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\TEIQHMFC\FileGrabber\Downloads\desktop.ini	Client.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app
27 api.ipify.org
28 api.ipify.org
29 ip-api.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	freegeoip.app
6	freegeoip.app
27	api.ipify.org
28	api.ipify.org
29	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Find Wallet v3.2-Crack.exeFind Wallet v3.2-Crack.exeClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Client.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Client.exe

pid	process
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe
4612	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 4612 Client.exe

description	pid	process
Token: SeDebugPrivilege	4612	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Find Wallet v3.2-Crack.exe

description	pid	process	target process
PID 3652 wrote to memory of 4612	3652	Find Wallet v3.2-Crack.exe	Client.exe
PID 3652 wrote to memory of 4612	3652	Find Wallet v3.2-Crack.exe	Client.exe
PID 3652 wrote to memory of 4612	3652	Find Wallet v3.2-Crack.exe	Client.exe
PID 3652 wrote to memory of 2964	3652	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 3652 wrote to memory of 2964	3652	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 3652 wrote to memory of 2964	3652	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe

outlook_office_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

outlook_win_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4612
- C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe
  "C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TEIQHMFC\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\TEIQHMFC\Process.txt

Filesize
4KB

MD5
d76b3b55903d33b8f8dad1c75068b9fa

SHA1
175fddaad3d80160dd36fc3f6e4202db3ad41632

SHA256
bcd4d941fccf6b008f5650d6a6720fe980ac14b63ad458f1fadec5c1b8dd9695

SHA512
dc99b59471de7c1a367d985e0d147bc1fd1aecb0734cd7c9c33ded6b4d18565ea9ff76a5b3e80d10f1226aa6c3b888aacb1e2b036fad8a24705846f8f8780b31

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
320KB

MD5
bc5da83795b587fb1dfce2d6bef2d176

SHA1
ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0

SHA256
d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb

SHA512
503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe

Filesize
3.0MB

MD5
c309cb9865dfc6dbb7f977f4c0f722c0

SHA1
b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9

SHA256
51472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5

SHA512
a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797

Download Submit
memory/2964-35-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download
memory/2964-40-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download
memory/2964-158-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download
memory/2964-152-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download
memory/2964-48-0x0000000008BB0000-0x0000000008BBE000-memory.dmp

Filesize
56KB

Download
memory/2964-33-0x0000000000170000-0x0000000000480000-memory.dmp

Filesize
3.1MB

Download
memory/2964-47-0x0000000008BE0000-0x0000000008C18000-memory.dmp

Filesize
224KB

Download
memory/3652-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3652-34-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3652-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3652-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/4612-41-0x0000000006850000-0x00000000068E2000-memory.dmp

Filesize
584KB

Download
memory/4612-42-0x0000000006EA0000-0x0000000007446000-memory.dmp

Filesize
5.6MB

Download
memory/4612-44-0x0000000006D40000-0x0000000006DA6000-memory.dmp

Filesize
408KB

Download
memory/4612-37-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download
memory/4612-32-0x0000000071EBE000-0x0000000071EBF000-memory.dmp

Filesize
4KB

Download
memory/4612-36-0x0000000000C60000-0x0000000000CB6000-memory.dmp

Filesize
344KB

Download
memory/4612-153-0x0000000071EBE000-0x0000000071EBF000-memory.dmp

Filesize
4KB

Download
memory/4612-157-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download
memory/4612-167-0x0000000071EB0000-0x0000000072661000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads