stormkitty | f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Size

320KB
MD5

784db6ac7ccfd32d66362a8bc13a3dfb
SHA1

cd4aeaae40459d5ba816fc94f623d732b26ac80f
SHA256

f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7
SHA512

d8b889479376a1d4cc5f75ed48e33f1c85bef7069b6f9901d0ca13c92e5a091f312dd5b9fb79842194b98a103ef30204b2879d786897a45f4fb246391bbeb77f
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvB:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3288-1-0x0000000000C30000-0x0000000000C86000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\UTKBEBLO\FileGrabber\Pictures\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
File created	C:\ProgramData\UTKBEBLO\FileGrabber\Desktop\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
File created	C:\ProgramData\UTKBEBLO\FileGrabber\Documents\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
File created	C:\ProgramData\UTKBEBLO\FileGrabber\Downloads\desktop.ini	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	freegeoip.app
11	freegeoip.app
44	api.ipify.org
45	api.ipify.org
46	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3288	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe

C:\Users\Admin\AppData\Local\Temp\f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe
"C:\Users\Admin\AppData\Local\Temp\f20582d337156e7ce70bcb401ee568fdec0c2beb8c80490795ebfbf3218edaf7.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UTKBEBLO\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Desktop\ConvertToUnprotect.ini

Filesize
829KB

MD5
741fc110138776bad2eb8e53527c832b

SHA1
6f8a796abd5532858984013989516d93ec5b9f99

SHA256
963d4d1fb60e995a3f363535d1fb3860628ba468b752a8bd70d4a1fa495262fb

SHA512
81af6fe5daa3a08eb26702ceecf5315291e0da706a2594265cfc7a8b57d0edeb65fd0d5bfe58992b8cf768251db8a865c837a291a7981d3205e363253af4f10c

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Desktop\DismountSave.js

Filesize
592KB

MD5
5fe7e011973dae24e8661d24b5e6ad29

SHA1
937ddd9e21a7308a51935e7dc556f635ae440847

SHA256
ad53c86ae4a35ca9fa6fc5e872df5b0c8d2d3a9701940fc33c00a942bae82a02

SHA512
e6f227e7c3aaf772d375013bbc7dabe4e819f5c1cf82de59de3cc81fdedc9516f82a3e96a94094943ff7ce9edd199eea6588c25c2587dcb7bcc76221cfbb18d0

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Documents\ApprovePing.xls

Filesize
625KB

MD5
871ce6c140ba1aaf911ef7b3927f5519

SHA1
65a4261ec36fc1eb8221df07eb10e3849245fa44

SHA256
5e25d4df7fae2877795c57823896779cd9a171d40cd5ada1231ec35c8940489b

SHA512
03192b360fc0555535fa1be4faff140b61c7584ef573a3510b0e44408f4d6ef5680eab8af721f6516908b37c077931f6fab0cc33283469766621dccbb9e22f57

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Documents\ImportEnter.pptx

Filesize
725KB

MD5
4486b478db3985192b8e1069d335ace2

SHA1
5fff692bbddd6e00476e2ed603eaea3803960baf

SHA256
14f64d3cab6fd54d9588be637a847a77fe1b93f6671d70a31869616832923179

SHA512
5d3fce3e05fde8c5b3f7c1f66e8c583f4cf53f743871c8356c28cf9de74fea951e49823fec4d7cdb794214a1ddd1d205768cbdf7f539cf30305b2eb4c32b87ac

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Downloads\CompressInvoke.docx

Filesize
865KB

MD5
963f6cb68d048b78952b0ba209d1f0e1

SHA1
e952c3116adacf5c3b516912ba91eb5793bb0511

SHA256
366f375b6f44d2e53e1e1836cfe56b1f36f01139d3d9666429f7055bb5d3d337

SHA512
81fcadd3ee96b857360baf09a3dc1ea1bc578eb0cb1521a3de791abd5ca01b1f7b34a54ed79a3fffe51617d97a1f73d903c69a7a2dfd2a11086482a666de3f39

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Downloads\SaveRepair.xls

Filesize
412KB

MD5
b64b231d600dfbc2e80f9bbc631bebdd

SHA1
848ff47dae5e76da0c22aac3b7b76a4bac8e70d0

SHA256
9bda6b220a410dc0bf0f8403f1ce207a2fa6841b06df418b5ae0d08aa2a759ed

SHA512
3e59012b88364c6321e705d59c579e04c561239df62422598a43b9cdf002f24cd9271fb4444f0d1992d370033eb7c6615c0559ce4f72c6c6e70afff046d220d8

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Pictures\CheckpointInvoke.svg

Filesize
271KB

MD5
41d770bbac28f567482f5b419a968631

SHA1
97e5d29fc8a5bbc725cd55a940db29d184918c4e

SHA256
e751b815854fb8f278711b5bc2b4d1743c5647a9583abf10b6f5e71f15bcba2d

SHA512
880f7b89d1cf8735cf4b7e5a062a014b10a8d9d551f214c3477f3dcea97592d65117d3c3b8926dfcaf4f65c6bab24d02a82e3c5584e010a421c2f2a6154e4a66

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Pictures\LockExpand.jpeg

Filesize
526KB

MD5
1d640f8d1acb8c395796d4ac923a2a88

SHA1
4994c35d06a9bdcca1bfe0ce1ca154f33fc5788c

SHA256
7fd05f5c27dfc6f76cb40cbf9a403d607c64c5cb7328ba0df7a82430731d05c9

SHA512
4360132124433531f0f48cdc0a8340b8be1c0cc303c1dba8bedc204426f1f01e16bd4cb0a16a73512a253621d5e126ad249591bf1289d3898b466b9326c650d4

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Pictures\ReceiveSplit.svg

Filesize
382KB

MD5
42df2ffd6ad33731816e66b5173204c8

SHA1
9a8101f90051663f2c0ce12134b7160136a49c36

SHA256
73864f579d03706451083e222e36ef025e485fecd9332bd48ea93a8c021a613f

SHA512
ea81ee67c4d7b90dcfc895adbe17f3d0e309673cbf907c06c6d32a96c47b46f3e136584d14a0f74b5f1bdecec9426c5cae9ba25211a008464cc55493abbcd342

Download Submit
C:\ProgramData\UTKBEBLO\FileGrabber\Pictures\SearchReset.jpg

Filesize
542KB

MD5
4b400b78d8e66dcb7c7fb944431905b9

SHA1
26daff859aef5102cadeefe19c59d73401ad8618

SHA256
998baabaf91a990edf3d6ae76a8e106d7a3da03c0d7a34e8e5d86919df9aed1a

SHA512
5edac61a0d4b60d3b07b2fe8dd63331ff213f1b654caac123a083ab690a9c694a70859803fc7f2606dba83e119160bc4d9581df094633d40db8519885e025d16

Download Submit
C:\ProgramData\UTKBEBLO\Process.txt

Filesize
4KB

MD5
af99314ac88b93b6f3c0862936027672

SHA1
51dae8dc14297be4090e76a65ebff007f4db1c42

SHA256
9d20d351de4f4be894650f50c9ba6026902fb57fcdf696b90cc72b214db23ce3

SHA512
44b77e33fffd11a0163de871f75c17341feff05443a4d89ec4f146444a3eedb3622f71bd7f22b83d6bb9bd95fdba65c8a2dd7833280f27ef2a41c5a8fec63fb1

Download Submit
memory/3288-2-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3288-154-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/3288-264-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3288-43-0x0000000006DB0000-0x0000000006E16000-memory.dmp

Filesize
408KB

Download
memory/3288-1-0x0000000000C30000-0x0000000000C86000-memory.dmp

Filesize
344KB

Download
memory/3288-29-0x0000000007030000-0x00000000075D4000-memory.dmp

Filesize
5.6MB

Download
memory/3288-28-0x00000000069E0000-0x0000000006A72000-memory.dmp

Filesize
584KB

Download
memory/3288-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/3288-155-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download