stormkitty | 06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62

General

Target

CryptoFactory.exe
Size

6.0MB
MD5

527e4ae4c9a4f056e8a4ca219c5089e6
SHA1

dfc855147f098b2db6857c0e3305b8850c61671f
SHA256

06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62
SHA512

7d17209527e6cb292e8f74197a2c44de8b72307432b3477dee88edb48b2bf2c4c7647edef3dcd68f2e935601c9046f0225a254a2d572af34ef712f3387d5e7c1
SSDEEP

98304:aGOYln80EisK9yJND14r0Uhmkl1qa1Egu2Wh/X9Tm0OXcPwQESF/IKc6jF:aFqnPEZZzeJmkl1qHd2i/9TjElH8QKcK

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d89-16.dat	family_stormkitty
behavioral1/memory/2676-19-0x0000000000340000-0x00000000003B2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0008000000016d89-16.dat	net_reactor
behavioral1/memory/2676-19-0x0000000000340000-0x00000000003B2000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
2816	CryptoFactory.exe
2676	Client.exe

Loads dropped DLL 7 IoCs

pid	Process
2124	CryptoFactory.exe
2124	CryptoFactory.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
888	2676	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2816	2124	CryptoFactory.exe	30
PID 2124 wrote to memory of 2816	2124	CryptoFactory.exe	30
PID 2124 wrote to memory of 2816	2124	CryptoFactory.exe	30
PID 2124 wrote to memory of 2816	2124	CryptoFactory.exe	30
PID 2124 wrote to memory of 2676	2124	CryptoFactory.exe	31
PID 2124 wrote to memory of 2676	2124	CryptoFactory.exe	31
PID 2124 wrote to memory of 2676	2124	CryptoFactory.exe	31
PID 2124 wrote to memory of 2676	2124	CryptoFactory.exe	31
PID 2676 wrote to memory of 888	2676	Client.exe	32
PID 2676 wrote to memory of 888	2676	Client.exe	32
PID 2676 wrote to memory of 888	2676	Client.exe	32
PID 2676 wrote to memory of 888	2676	Client.exe	32

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
  "C:\Users\Admin\AppData\Roaming\CryptoFactory.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 520
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
431KB

MD5
a66341eb6be2e1497bc12048697b0a1b

SHA1
a721702b08f10d97c9cc1d041b1f147cc269a996

SHA256
c9ee99ccabd3260875974019160063dbbf4bf7bb9d4a9cc9a44ccbaf23ac050a

SHA512
154e60bfc9f29d1d18aa5fbdc36e10c045cd16402191036dc80c7f8a0f6ca4219361668c5a5f5f01d799b2fe1be319432d358593c230e49bf1d608a3bac5508d

Download Submit
C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

Filesize
4.6MB

MD5
015af0b0f020d555b6aa8954b7e19117

SHA1
c11323f09e800b83f346b4ccfbedbd7919c54b5e

SHA256
9ddabf3b607d6af97bd37b5d5a21bfdfc297e77f869cd75ba189dc79fcc64f33

SHA512
12a8cdc2b122392a440f5d1b53bb8765158958416c8e217573d14f6aa8bf1d587ceb722e09d85a86ebf042ce89dafdd77b1ccf8354c73528285dfc641e90ea9d

Download Submit
C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

Filesize
4.6MB

MD5
f5235488b702f4b1575bf4a3c0ef6147

SHA1
2bda5e066040d5a8237051b6c002264c8ac4ad28

SHA256
5cbf590c6d01aa67ce2ac5a9ed5e436dff5e1e75ff6a05218faced3ecb0c3852

SHA512
6a24fbdae06cf4de23d9dd3bc064c201a56e9e89a9ef94a8870238210a70385da154d7613f3ed8b997d0eef2ad1c0f2b4357aadde1affe8e0ed2304f9b281477

Download Submit
\Users\Admin\AppData\Roaming\CryptoFactory.exe

Filesize
5.5MB

MD5
b8868b8ca49dc243910c548e69ca40f5

SHA1
7d97525e2210ba3ff8a5ea300e4cd95c5827aa39

SHA256
066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c

SHA512
809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

Download Submit
memory/2124-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2124-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2124-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

Filesize
4KB

Download
memory/2124-3-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2676-30-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-19-0x0000000000340000-0x00000000003B2000-memory.dmp

Filesize
456KB

Download
memory/2676-21-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-22-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/2816-20-0x00000000001B0000-0x000000000073C000-memory.dmp

Filesize
5.5MB

Download
memory/2816-28-0x000000000B8D0000-0x000000000C016000-memory.dmp

Filesize
7.3MB

Download
memory/2816-29-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/2816-17-0x0000000072E9E000-0x0000000072E9F000-memory.dmp

Filesize
4KB

Download
memory/2816-31-0x0000000072E9E000-0x0000000072E9F000-memory.dmp

Filesize
4KB

Download
memory/2816-33-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/2816-32-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing