stormkitty | 0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FindWalletv3.2-Crack.exe
Size

3.5MB
MD5

68f929dc1286bf7af65bf056845f9b42
SHA1

1f1d9848811b3c00066f8be86035fda994ceedfd
SHA256

0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
SHA512

d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
SSDEEP

24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Client.exe	family_stormkitty
behavioral2/memory/892-28-0x0000000000B50000-0x0000000000BA6000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FindWalletv3.2-Crack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	FindWalletv3.2-Crack.exe

Executes dropped EXE 2 IoCs

Processes:

Client.exeFind Wallet v3.2-Crack.exe

pid process

892 Client.exe
2476 Find Wallet v3.2-Crack.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Documents\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\desktop.ini	Client.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
9 freegeoip.app
42 api.ipify.org
43 api.ipify.org
44 ip-api.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
8	freegeoip.app
9	freegeoip.app
42	api.ipify.org
43	api.ipify.org
44	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FindWalletv3.2-Crack.exeClient.exeFind Wallet v3.2-Crack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FindWalletv3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Client.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Client.exe

pid	process
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe
892	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 892 Client.exe

description	pid	process
Token: SeDebugPrivilege	892	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

FindWalletv3.2-Crack.exe

description	pid	process	target process
PID 2596 wrote to memory of 892	2596	FindWalletv3.2-Crack.exe	Client.exe
PID 2596 wrote to memory of 892	2596	FindWalletv3.2-Crack.exe	Client.exe
PID 2596 wrote to memory of 892	2596	FindWalletv3.2-Crack.exe	Client.exe
PID 2596 wrote to memory of 2476	2596	FindWalletv3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 2596 wrote to memory of 2476	2596	FindWalletv3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 2596 wrote to memory of 2476	2596	FindWalletv3.2-Crack.exe	Find Wallet v3.2-Crack.exe

outlook_office_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

outlook_win_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

C:\Users\Admin\AppData\Local\Temp\FindWalletv3.2-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\FindWalletv3.2-Crack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:892
- C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe
  "C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ZTSLLRFH\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\ConvertFromUpdate.txt

Filesize
666KB

MD5
0b9a45c285cbba136975ce1715861cb7

SHA1
5e125d7c6d572c49e9bd5d03b67b4713ff9b5a08

SHA256
6b535be93f58df2fd6eb283d2f2032f41cd5c134d94ac0106580b6a87fdf8cd9

SHA512
e459d50f345553d279ab0c07d09df78e1548fed3b0e997623207651192b6e26f62162d49d68ccb1c8d6dfade6ae233e256ae80f35ac97d2f9e59fa4fcf73d77c

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\ProtectClose.pdf

Filesize
633KB

MD5
f142fc56a95146b97fcefde3d00df35e

SHA1
ef1799de66acae8b28ddf64decd9a29e348fe628

SHA256
ab183483d5a03277831b12021ff3512880291a0484579d1eb221f5e1a4323b64

SHA512
697010cbd48edc048cef2b0a9dde196e1d5b916b5fec6a3261ea2031a53a03beb76939ebda5a33df4a8e6118cb75dfb255b3b77bef0ab179084ef823cdf919bf

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Documents\InitializeUnregister.doc

Filesize
1.2MB

MD5
f61128b3160e47e4390bd9ba14b37e17

SHA1
f8d9e98e4598ba655dd4fcb2b451d5a3ad3706b2

SHA256
8d3c02613d580fffd44429df94889945569a57aca2fbcdeeee43edff3a057db5

SHA512
e3a0b144f6af1c0d6901e79adcb56dc46e8107382a47531098690c9a5777c11db96cd3b8433f9c34cbb4637d6fc4e7df1e15e342f7085d8e40692d990f36f703

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Documents\InvokeStep.xlsx

Filesize
1.9MB

MD5
b3a76e717bcd65653de8f52d6a4f21c7

SHA1
9dc5b9195fccc98b489ee67b5a7b3b79902c7ba4

SHA256
8f9fd8e63d58c3dfb425921a4fb960a78a13fcbb64bfacbf7f3dc8a3ecaaf80e

SHA512
5ffb226c06b2375d32381b33e40a37143d5c012c8cf5f3673a7b55cb46dbe049ce7709de4a442db3d4c38227ee504ea1e6561affb42df3b7a32b96e2c8d9907f

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\DisconnectWrite.docx

Filesize
1.0MB

MD5
ea09ded02d43017f3cc995e8c065d176

SHA1
e888f0af3f2f17be7e8728b876a5becd86bc7e17

SHA256
490c65e7fbf0a51640b21310a25d96195b1821d6f79ad395cb169617d94a97a7

SHA512
afaa16cb83e306e3a0e2d23f3568bb1d344312b91304bfd3987791cfb7d1738a8d2d84482c8110fd32f9da61bc5df2ab95509c09b07ad97eef6a7c1942b74480

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\ExpandRedo.txt

Filesize
1.2MB

MD5
6a858892a9248ce9505016188b832c89

SHA1
cb7b52b7e7e5c761eaeae3d3a58395e75a3633f5

SHA256
bd10f7fe7649e22d986e279d07fc3c4860d02b2f80b241bd691f1cb02b2c1a6c

SHA512
acdf8b52bd44ea9b8374c43ccee85de148406a43cc953e93f26394f1e66d25feb83af80a6ff3420a734bcc3de5dace14e8dc25455a9d9a864c135b8feaf73aef

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\ApproveShow.svg

Filesize
266KB

MD5
79e68caf1f7e84dff4359f1cc4bfedca

SHA1
85b775713c004813b47558bb2814cb736541b995

SHA256
aa72c364fd3bc7d1872d09e6bf653b1083f9006c49c1a57563f2bdc970a04e61

SHA512
920ea27db7c938ffb358e2d8471facd78e625210cca1c5418735c400ab2b997d61bc05d1d0632584effcab3f4ab33d63361b960c4eb2468d1699b7ad8362fc5b

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\ApproveWrite.png

Filesize
564KB

MD5
f0378b89e99000f4ae042e5e512860cc

SHA1
f4384c44207f623b4477a44c75ab1461f3ed4978

SHA256
c1008374168363a62179c713634b87b9d626950f437600b49f56aa54c7ff108e

SHA512
86e16a94b966e6b54dd4130a3f0840405f69b0833932d423ab63b5846cf3610fd8d3c206191bf979d571729eb8d5ea6eac4a266df26487892bb0414d8da66693

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\ConfirmClear.svg

Filesize
308KB

MD5
b0b41411da1aa96b9ae0506307e98466

SHA1
49d3f24b7486ad7ac123d47fdc6115249c6575dc

SHA256
54e9d0c46b3a3f226ace5363aca624fd10c334bbf5e46117a07d014c1008298c

SHA512
9bdf503b68b6b0c427b2d3ac0367df197660ecc5063b5b54fedde4e555bd3d4fe0c0833fe2c7529fae9006481d951d654ffcc950e5169c416a81dd3eb380567a

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\GetLimit.jpg

Filesize
330KB

MD5
9d1c025fb014760ec38d4922c69ea7f5

SHA1
6ddd900ddcea8660e601424cfe74406499e7b2aa

SHA256
0ac83485205ab5c1678280eb09e03cdf3773179b453ca5a07cbfa0a24d1f30ef

SHA512
f48ae31a825f5dd0055d0288d7a676f23717af07be14562be733d774870b928894599b89e7c47c988b9f88606bc75abbd83617876be7efc6faac1f88d7a70b51

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\Process.txt

Filesize
4KB

MD5
02bc546cd669077d1a5c5f1c1ae5b265

SHA1
2eb5640219ebab51e355c3b862d9dce60361db00

SHA256
aff670b25fe8934c6630d1e03ed6470d5cfcb38165972739aa7a83fc7dc2c776

SHA512
41eaa4e3d833c0a3ac1476ed3334514a07f5a606948bb47964cf1107646817b04a9a797e81e67a56afea17e19018118525686963fb82ed9081faee34bc1c640d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
320KB

MD5
bc5da83795b587fb1dfce2d6bef2d176

SHA1
ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0

SHA256
d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb

SHA512
503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe

Filesize
3.0MB

MD5
c309cb9865dfc6dbb7f977f4c0f722c0

SHA1
b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9

SHA256
51472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5

SHA512
a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797

Download Submit
memory/892-237-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/892-31-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/892-66-0x0000000006C40000-0x0000000006CA6000-memory.dmp

Filesize
408KB

Download
memory/892-299-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/892-62-0x0000000006DD0000-0x0000000007374000-memory.dmp

Filesize
5.6MB

Download
memory/892-187-0x000000007207E000-0x000000007207F000-memory.dmp

Filesize
4KB

Download
memory/892-26-0x000000007207E000-0x000000007207F000-memory.dmp

Filesize
4KB

Download
memory/892-56-0x0000000006780000-0x0000000006812000-memory.dmp

Filesize
584KB

Download
memory/892-28-0x0000000000B50000-0x0000000000BA6000-memory.dmp

Filesize
344KB

Download
memory/2476-64-0x0000000008E40000-0x0000000008E4E000-memory.dmp

Filesize
56KB

Download
memory/2476-29-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/2476-30-0x0000000000D40000-0x0000000001050000-memory.dmp

Filesize
3.1MB

Download
memory/2476-32-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/2476-189-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/2476-273-0x0000000072070000-0x0000000072820000-memory.dmp

Filesize
7.7MB

Download
memory/2476-63-0x0000000008E70000-0x0000000008EA8000-memory.dmp

Filesize
224KB

Download
memory/2596-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

Filesize
4KB

Download
memory/2596-27-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2596-2-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2596-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download