stormkitty | f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Size

320KB
MD5

784db6ac7ccfd32d66362a8bc13a3dfb
SHA1

cd4aeaae40459d5ba816fc94f623d732b26ac80f
SHA256

f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7
SHA512

d8b889479376a1d4cc5f75ed48e33f1c85bef7069b6f9901d0ca13c92e5a091f312dd5b9fb79842194b98a103ef30204b2879d786897a45f4fb246391bbeb77f
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvB:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1728-1-0x0000000000B20000-0x0000000000B76000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Documents\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
19	api.ipify.org
20	ip-api.com
22	api.ipify.org
23	api.ipify.org
4	freegeoip.app
7	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

C:\Users\Admin\AppData\Local\Temp\f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
"C:\Users\Admin\AppData\Local\Temp\f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\ConfirmSet.txt

Filesize
454KB

MD5
fcf09d293d6cff9644a53ab78efca1cc

SHA1
389124012393042e1d0e2e05c580751792366b8e

SHA256
d2068a7dbf56abace3fb312eb814ac90afae707b69cf26897a96c68800094576

SHA512
a6870ee18c2ad7a64c271c0f16b1ae145420cb03acaee34f69e118cc3c2102f7a845d0f651eb8e8a2b87b0164c86504f1da84f6c2a50949c7b8901172c096ef9

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\DisableRestore.css

Filesize
795KB

MD5
41f4facc00ac5b73c7f46fda6bec8d73

SHA1
fdc5c59a1c73311befc4256cab8cf6cd9eaee022

SHA256
76ea9c5ca869cb811c259d656ec502ec37bf8110ff09dc6f031f1fba4e4a5c72

SHA512
8e15ceada8f45e0ddd4fbae133b549e84e6d596d15004404672cdc58858973d12b33f13311b51c55382a9ac6ff65cb2576923142c89b19453b196b2e6f8d58d4

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Documents\CompareRestart.pptx

Filesize
712KB

MD5
9ea42c4e2deb56d8bc6c2906100ff629

SHA1
d5bf80a418ebe230bc2a639d9d7ef675339f0dd6

SHA256
01c253312d99affa575d2636a1f89bae524fef08b11e42f16bd9837300a7e0f4

SHA512
1752387d6076e938c2661d42a623bd1d0b3e67d71e8f348e356b6d37b12520ee559852cd73126eea2b3ad86f19c56981160e69b80ebf92ef480d7466bdfc71dd

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Documents\InstallInitialize.html

Filesize
892KB

MD5
9e4e8397ce604dbd50fb830110ba3e5c

SHA1
a2bb7af148d6e551a4128a8016102be972e022e2

SHA256
f4d1a5a79aec641fa1e969d5b5da838dcb4901a01ea771aab0425213c6159c11

SHA512
6f80d944df53386787c3a8c5e0157a4e38b2cd09f39ef63c819f4f1446a93f8c443409f3002c17692613ae37c011adf5cbdc968f9471aed577b55b5f3503e88f

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\PushDisconnect.jpeg

Filesize
609KB

MD5
2e5b8af0cb4013a995488ec925216b17

SHA1
5813782332fb5f335dcbe6ac8c5b609f28ac1b23

SHA256
4cf4e70a3db6f7121c45f641b1364d5c214b8a09e8f56f4872c807ea63c39e30

SHA512
160c759f555430ee3b559c60410ef9c6b1079d00e64109486e17bae8ad2e855ba22e266720670a353e2785072cce28704d287335f4be47d2e35a2bfe9d7d62ca

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\ResetRequest.jpg

Filesize
551KB

MD5
b20d0f3af5df7592f6d5347972af64c3

SHA1
2118b6bd1d0b5a3c352fb19ff9fb473a33c4870e

SHA256
0966774792c15d945e76aca3bcc176993615cb5ff9697daf52eee6383bc9313a

SHA512
2ebee01defd6e77ebaf2b80df5e88c39ba3ad8c4789399d8ee2ea3b51d9bc8fe11b2363d675047ba0ba3aea525947fffbb29cbd073a5bcd3aa8a6dfe60b9349c

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\UnprotectTrace.bmp

Filesize
1.1MB

MD5
a40624f846d570db505b28e36cf7f499

SHA1
6a1db35ddb44ddd547398c0a2a564852b2b01246

SHA256
9edbb9d8c04e252809ebb2379920aa4232e1d6f362495bd7eb8910b669a230d9

SHA512
1171794a0fee8075ed646066e2a8d233b1abf49dd6941bd2c217d8e184548f44a666c6ce55a5bca4224cebad0335c6a21d3d3476ac1e8c6f5f78aa0f32beb2bd

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\EnterPing.jpeg

Filesize
607KB

MD5
ca0545c3341ed6c799f12235d1bc3586

SHA1
b0376fe9b9241122ba4e1847b33a721edbaf4f52

SHA256
153fc660346a36bf429f98c41f4f058cf77e8593c31c26a54a3a09a7ea81db9f

SHA512
6578e8b6348b05ff7d86dee238c67c31498a0d4574b449b6359542a5acf3ab571b2801ba903f77ff4d295bb16d9580b01bacf9db5447e633c44eaff557f6933c

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\MeasureUnblock.bmp

Filesize
575KB

MD5
67dfd5dbde76e145d82f42696cfb19eb

SHA1
711800c81a395e4ddf8c0510c5c2ffef1bae5cb9

SHA256
d1d79839241359e7167e979fc3f6a6e4b91925f1a1d1207ffd34e324c79416a8

SHA512
ef17ec2e387e79171ff4047b927b76989e9b99dc7ce70403b582e9539db275d5038597562deeaa5221cabc812de6f0f8a2ecc259d5d6cd2502ae42b0d8f3637d

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\PopRestart.bmp

Filesize
980KB

MD5
7aeb41abd8089414b5ac2723121d4ce6

SHA1
0f9c797311453af8224af8ed2c67d22ad695b91b

SHA256
5ef186a2349f368badd00e2fc6b87110344c9cbb314f92e0c6f105fe000fc44a

SHA512
8d70f214e2948f4eebbb9abe136fe6c846804a98dcd4f65c8ed11ee81e3c1ae8891068c6484bace277ee56b9d1dc64e5dd865cb7ee74b581b2ed4f66cb94614b

Download Submit
memory/1728-2-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-1-0x0000000000B20000-0x0000000000B76000-memory.dmp

Filesize
344KB

Download
memory/1728-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/1728-160-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/1728-161-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-185-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download