stormkitty | 06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62

General

Target

CryptoFactory.exe
Size

6.0MB
MD5

527e4ae4c9a4f056e8a4ca219c5089e6
SHA1

dfc855147f098b2db6857c0e3305b8850c61671f
SHA256

06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62
SHA512

7d17209527e6cb292e8f74197a2c44de8b72307432b3477dee88edb48b2bf2c4c7647edef3dcd68f2e935601c9046f0225a254a2d572af34ef712f3387d5e7c1
SSDEEP

98304:aGOYln80EisK9yJND14r0Uhmkl1qa1Egu2Wh/X9Tm0OXcPwQESF/IKc6jF:aFqnPEZZzeJmkl1qHd2i/9TjElH8QKcK

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d41-12.dat	family_stormkitty
behavioral1/memory/2960-19-0x00000000008E0000-0x0000000000952000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0008000000015d41-12.dat	net_reactor
behavioral1/memory/2960-19-0x00000000008E0000-0x0000000000952000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
2248	CryptoFactory.exe
2960	Client.exe

Loads dropped DLL 7 IoCs

pid	Process
2940	CryptoFactory.exe
2940	CryptoFactory.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	2960	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2248	CryptoFactory.exe
2248	CryptoFactory.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	CryptoFactory.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2248	2940	CryptoFactory.exe	30
PID 2940 wrote to memory of 2248	2940	CryptoFactory.exe	30
PID 2940 wrote to memory of 2248	2940	CryptoFactory.exe	30
PID 2940 wrote to memory of 2248	2940	CryptoFactory.exe	30
PID 2940 wrote to memory of 2960	2940	CryptoFactory.exe	31
PID 2940 wrote to memory of 2960	2940	CryptoFactory.exe	31
PID 2940 wrote to memory of 2960	2940	CryptoFactory.exe	31
PID 2940 wrote to memory of 2960	2940	CryptoFactory.exe	31
PID 2960 wrote to memory of 2712	2960	Client.exe	32
PID 2960 wrote to memory of 2712	2960	Client.exe	32
PID 2960 wrote to memory of 2712	2960	Client.exe	32
PID 2960 wrote to memory of 2712	2960	Client.exe	32

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
  "C:\Users\Admin\AppData\Roaming\CryptoFactory.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 520
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Client.exe

Filesize
431KB

MD5
a66341eb6be2e1497bc12048697b0a1b

SHA1
a721702b08f10d97c9cc1d041b1f147cc269a996

SHA256
c9ee99ccabd3260875974019160063dbbf4bf7bb9d4a9cc9a44ccbaf23ac050a

SHA512
154e60bfc9f29d1d18aa5fbdc36e10c045cd16402191036dc80c7f8a0f6ca4219361668c5a5f5f01d799b2fe1be319432d358593c230e49bf1d608a3bac5508d

Download Submit
\Users\Admin\AppData\Roaming\CryptoFactory.exe

Filesize
5.5MB

MD5
b8868b8ca49dc243910c548e69ca40f5

SHA1
7d97525e2210ba3ff8a5ea300e4cd95c5827aa39

SHA256
066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c

SHA512
809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

Download Submit
memory/2248-21-0x00000000010F0000-0x000000000167C000-memory.dmp

Filesize
5.5MB

Download
memory/2248-17-0x0000000072DFE000-0x0000000072DFF000-memory.dmp

Filesize
4KB

Download
memory/2248-22-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2248-28-0x000000000BA10000-0x000000000C156000-memory.dmp

Filesize
7.3MB

Download
memory/2248-29-0x0000000000800000-0x0000000000806000-memory.dmp

Filesize
24KB

Download
memory/2248-31-0x0000000072DFE000-0x0000000072DFF000-memory.dmp

Filesize
4KB

Download
memory/2940-2-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-1-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-18-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-0-0x0000000074ED1000-0x0000000074ED2000-memory.dmp

Filesize
4KB

Download
memory/2960-20-0x0000000072DF0000-0x00000000734DE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-19-0x00000000008E0000-0x0000000000952000-memory.dmp

Filesize
456KB

Download
memory/2960-30-0x0000000072DF0000-0x00000000734DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing