stormkitty | 8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Size

320KB
MD5

f71e90cbe5a122796864f70feba51a50
SHA1

b63521622fbd176baddf513e2eb191f655880bca
SHA256

8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a
SHA512

001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f
SSDEEP

6144:Wm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvJ:Wm/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2024-1-0x00000000003B0000-0x0000000000406000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\ProgramData\VORHPBAB\FileGrabber\Downloads\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File created	C:\ProgramData\VORHPBAB\FileGrabber\Pictures\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File created	C:\ProgramData\VORHPBAB\FileGrabber\Desktop\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File opened for modification	C:\ProgramData\VORHPBAB\FileGrabber\Desktop\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File created	C:\ProgramData\VORHPBAB\FileGrabber\Documents\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com
22	api.ipify.org
23	api.ipify.org
5	freegeoip.app
9	freegeoip.app
18	api.ipify.org
19	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

C:\Users\Admin\AppData\Local\Temp\8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
"C:\Users\Admin\AppData\Local\Temp\8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VORHPBAB\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\HideStep.svg

Filesize
251KB

MD5
843147bc20c5c4590cd149d105600ab0

SHA1
c169add9e7fe71f457f38bf69113791189eca392

SHA256
7df53ce03f5d0f7e4ab9c7cf58ba569cb34aa6420103d570ff825434ba879eff

SHA512
1ab283fde15dacf65b87d1d62b217169fbeddebe13226b156d8244ab4a3ddac6f2c7fd8e2eb62a835a2e53b6c234f880b4bea0c058246d287b40d92ca52f0456

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\NewClear.css

Filesize
430KB

MD5
b71d79fe6e9ec03a9dddee251376094d

SHA1
a83a5c2bf0f57722df5d346938b45918c018f238

SHA256
4a9ae89d2cc9bd92fa73f7a0e2af374b94b6823616e660b7bb4b9ab0853a14de

SHA512
1c452ec5e95aa0a406691e8debce2679502931c9aa6a9e3f2037f1318a295ac6f76c22dab51a7a1b01193d9435644c3bfca8fc7a741cedd0d3fdab8c16d44cf0

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\OpenEnter.xlsx

Filesize
10KB

MD5
246758db832fa3aaf25095a2646cf9d6

SHA1
2408d255483f21b3f0aeed1d7654d716b673fe1e

SHA256
5201f3ff4e60f53056befcb8de9efd294be41a5858e84d14fe398926f52aa3a2

SHA512
8e21c1b9af8d282ac839b315bf7f2b1562e381c6dd263b12ae65ce9b6009b26a1822cbaa88519a6979a133f5aa27ed1332c44fe4a56aa840bad2ebc27fb5e36b

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Documents\EditDismount.docx

Filesize
1.9MB

MD5
4e510ed42b2c0662616c8dd14cd7ca81

SHA1
ebf03d4f9d51ea04306052cd681c902757a12c63

SHA256
28b7819364e67df4ed99aae0da810694409de459231d1c3fa95a7c536a1cf9d2

SHA512
872adab522ae1ded861423e94bb356993deae7d45cfe91dbf869c3c9f79162f03b91a8ca44be8ec5653bbaa4dd55887a738ce3518c215b5b86281d1ef17fdcb6

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\EditWrite.docx

Filesize
418KB

MD5
d8aa9985e936dc432937ab4fb0514ad1

SHA1
967ecb373aef311c8ba7ff05d82c241cd145c9d5

SHA256
4d9d75b6adabdbb35c9eccee5f42be63c32745ed66770ac7d46ae1ec22dc7aa9

SHA512
beaa54a6343fb008308275e522918f843824c70f893db0c2edcab48531944631e6e27af42d58c48e29433a6ebc884ea6a61bd7f47e1ce330b21385ba07aacfa5

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\GetComplete.txt

Filesize
302KB

MD5
a3a745c03e7da55d844c3b601bfc93b5

SHA1
4644649c867665edbbe46b5daee72871e97eca46

SHA256
4f1ff32c0fbc7ae7f13cc8307c5eabd601e09576bacb80978c6dd29521ab240c

SHA512
9050024b8f1ee6bd7a09a67d047ef2628d7d7de9df8895e574685f4906e0cab00e610ac364f19e352c70dc2410e3615fae316a27abf19cfb990a9d1ce263e808

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\ImportClose.html

Filesize
204KB

MD5
47911c1432ec370d83786c5787b27f20

SHA1
b62903d2eb0be298b7d8f660b0eab3e90c2ee5af

SHA256
9aaa3e30ec8c22224b96176e1bf538fa72af2ebd176157a34328e994065adad3

SHA512
23dfd9bb2677b0365007357d5929df14335ea3b456802b1ef0c2eb194b2ef6014494a0e751593648337aa98887cefb5a6a79e917847dbfd163494785bd0dca57

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\ImportDebug.png

Filesize
321KB

MD5
dde0c9cca7f2a1d2f5f76a28e8e4c621

SHA1
874325cfea4427b8c0cb1d8da5e7af47bead86c6

SHA256
11a9488ff030698d0d38b2bf3d1686371e90a631d959afd01eb118555528d5a3

SHA512
4005d8942eb9475baa85c53f043e35f9957c5a3836d3f9bac21b27b7ec0b7e55c2d9496208b6e3b4e723aedb9917ef135012f21105147224d5ff60a0a0b5cd4b

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Pictures\GetInstall.bmp

Filesize
1.2MB

MD5
7c918006d3c67202218a261361478643

SHA1
b474da2b9807c80609e17fa02e71bf38f67cc94d

SHA256
557d6e24341da2285a197a230d10be419a0c4aa122a9667f02c73cfcaacc26fc

SHA512
e9a77a96359f24082d52a508420f9be53032474a3955f83a9fd8bb0a52013172a108e4d3f517ceaa9c2937963d741d2cf2a184bdfb7684a30fe6bb9db478b270

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Pictures\InstallHide.bmp

Filesize
1.4MB

MD5
cdea0144db233e55382cb443445905bf

SHA1
461b605604f22f843ec10fdc00b7d74f631839be

SHA256
f4824e8d8625d1ee01d70a48295428344dcbfced4cf1677aad2ec2b062104d53

SHA512
129086746a065d2d1ca732df3e20a879f560e868d736a1b9f805c8d9421605391ab8cb692428f7ee6fb83195dd749a04109dc58b2fc1635b10f13a899e75543e

Download Submit
memory/2024-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2024-1-0x00000000003B0000-0x0000000000406000-memory.dmp

Filesize
344KB

Download
memory/2024-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2024-155-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2024-156-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2024-179-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download