stormkitty | 8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Size

320KB
MD5

f71e90cbe5a122796864f70feba51a50
SHA1

b63521622fbd176baddf513e2eb191f655880bca
SHA256

8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a
SHA512

001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f
SSDEEP

6144:Wm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvJ:Wm/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1888-1-0x00000000004B0000-0x0000000000506000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Desktop\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File created	C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Documents\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File created	C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Downloads\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
File created	C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\desktop.ini	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app
35	api.ipify.org
36	api.ipify.org
37	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe

C:\Users\Admin\AppData\Local\Temp\8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe
"C:\Users\Admin\AppData\Local\Temp\8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\OFGADUSE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Desktop\PingUnblock.png

Filesize
305KB

MD5
6c6cb2ad8e7e69c8011bd9d43dd5a9f6

SHA1
2397634f635b8f3b408848a6c88b95584f1fa63a

SHA256
4b62e1a3b450cb3269aa040bc728ca14b501537ecbc4923a9ec6e239fb0d6cea

SHA512
eb089166c1277f9ede19da6bc50d6bf7b1121ebf50f79630843a17c72c4ba8c2b317a78c5506eb4b752d68f7735d5ad0a79abb7a157f64ea466cc1d3059cafff

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Desktop\SuspendInitialize.txt

Filesize
164KB

MD5
81a68dd1809dae4dcf4ddfb384c9d1cc

SHA1
88e78726a0e4ee6b4d18854a54f7e669e3c3209b

SHA256
ff333d37559b47342386d54c43889c9d5a53d3f200a6648280c88657bc56a285

SHA512
75c800cb5c8b611725d45f748ebcf741d2e0f8926c1b589932cac3235e454273bb1590c7ca840233eca978882c217a9034afc0c30069cb318abe7188f0124127

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Documents\PopUnregister.xls

Filesize
275KB

MD5
12a2d70b3254e54807f042883ef392b7

SHA1
5c18421a7368187cea8037d83bca5420b5279003

SHA256
38005f6d25857dc37029c9e6f4a04fbfc2a5ac8c0eca9396c66d787860485039

SHA512
eff3b182f2145f90f8d66126366446b3f447b623c228443776a55dde7c7fcd9f676cfda4772948ac9129c9170b41ab530693f69bb1d176fabd9fe7fa1a82a740

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Documents\RenameTest.pptx

Filesize
484KB

MD5
18d4cb532d51a58bee685fc2a0428223

SHA1
3b0a28a036a7fed824d4d384e330368846ff92d1

SHA256
a7d6037e6c93cbcb677952c3b77d610e307f5f1e3111d99f3c66a7d3fe6062fa

SHA512
dc1d1f47e920b3675c6a109b2b9ac9044fe6eb37f526884c4eb5358a898bf193893d61656e73b0c610f61e908f69357952512709363241e0c1d03c46fde4e5ef

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Documents\RepairUse.rtf

Filesize
286KB

MD5
8b16604cafd3dea6e833778b1fb09d3b

SHA1
d0c657822c9488b9fc2e4005052ff19da47a9a2c

SHA256
e74c26775c2f7f2f99375a7ac21cd80faf97ab5bd425858d4ed8b338e5228704

SHA512
185dd023916f58f726a2767ccdebcb3ecb2f7a31947b39ea16c2f66d2c122e544e71d149ceca0cbe57d6ccbe9efa18190d47657982e078083ca5e774c306a493

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Documents\SaveCompress.ppt

Filesize
231KB

MD5
c07abb8b07d3c1e44fbfde838f30d3fb

SHA1
b97fece40fe5b8d265b141478b00d8d463e5b518

SHA256
87b5cc0663517b194a904ae5d4f01fbb75bb640213f42cd9a67b3ec4a219fd2d

SHA512
10364bf665131abf9819c013955e2988b0bd63394ec00139d8e36671207a80c30eedbfe4ca12a0018c8ec0ca9677f81fcd762e07d48131d37e6ef9c6402980e5

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Downloads\ConvertInitialize.ini

Filesize
591KB

MD5
9bfc09051a632c3665104282b36e3f81

SHA1
e8b5bfd7ad2c00a75d19b967dae77d73919a19f4

SHA256
7662f2aba1a9551feacb631add3eb71fb257c97149768c9e389dc31671a0a6a3

SHA512
60a6e886142947f7492109b3aa426857e1dd1cc33ffa453d694b21bf23303837c36d9753f9362477f1e82479006780b07d60eb1040b43debe17976718c3a88a3

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Downloads\OptimizeSuspend.svg

Filesize
551KB

MD5
37a91de453edd495a0fd2ec00a835f15

SHA1
ef1eeba828fe5cc0e7900778b20eeca52f15576a

SHA256
7eed968a4d57ddc9cfb0098095b2bda64774698c1362d38e52daf0c3cda76b15

SHA512
f84441b8631b8f68d43d5356c5f1eb1c33a0faad2925a72f2ccff1ea93a422a1c8001cd269f12a28c950e5e89f0cd6673126c6ba65d650d62d93970a4f0b6569

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Downloads\ReceiveClear.pdf

Filesize
932KB

MD5
37f91a75c2e6ec1f5fe8ee6f56cab42b

SHA1
6fe72c7734595e368786b8ca4c800f71fde2723d

SHA256
26c4a77c812d1c1c5245a76fa46d8980d21e10d0aa7a8de363b56e97924e6b3e

SHA512
f8e62332692e9fb37e2dcdce6b41de775bc66003721789c85bd6e6c2bb9b2b215cb4830e6e43b3abe71adfa67c3ea569507b7d880a2971ac1993caf6380e3435

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\AssertConvertTo.bmp

Filesize
149KB

MD5
0ab1071ec1362aa8145649bcad4de3b3

SHA1
b8c127bc1e7794617cc2e058e7ccabaed919fa04

SHA256
da614cafc14b1642a7e36028937d52ceab9226d170b2fdc58456255e395a9b12

SHA512
29bf03f98e186fc1b852e596f7a1735234f9f4d8abba8ce43b4707e03fd82dc0e469fba9d4e9a827dc6168ea5dc34a95c07d08b4f62f20e53da83f14d4da9740

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\ConvertFromEnable.png

Filesize
146KB

MD5
50cfaa5d151a88a346abab09e027870e

SHA1
73ba9e4508771ad7a66a27d286ef3708aef215e4

SHA256
2aee3681dfcc2e284e8ca2182b0ee4dba07c372c4d393d03e1ef239f38380c9a

SHA512
4d8825b1c4ca7c0674161904c0965a7074e0b736304584c0d056c9f0feece81611331a2e09364e4431932419e033a78575db1dea16d777c2c00cc9b4e6f0b0a9

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\ExpandCopy.jpg

Filesize
119KB

MD5
595b32aa4757da889d27ab516aedd479

SHA1
7fb81538040ab2886d1b4afa4fc50850646bf762

SHA256
f6769fd1506873b9d87a599738137f8160eb290f506f28903e4edba076f4521e

SHA512
a9902fd18ef0b9fc27c6a5f80699232c4b7abfc68c24f162f6ef253e21dfedc4c67b06900b35a14d4af900eb1c38ea8f7a9bf81d2fce9ff42b28503a5e35b50c

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\JoinClear.jpeg

Filesize
116KB

MD5
63088e331c841f19e18fca1ccd375293

SHA1
95934cb37201263e09426ce385a2b11ff49a8956

SHA256
efbc083aff9c79dec6f3b8f727751ede8660ba6c0f8388a65973af945cf7cd6c

SHA512
8e0b31210a20ed9c1180d6dbfd5ec462682d35c3e8f3dd3513a239e6491e8c563b99ba6c278daaf1fd5827e2ef6b99db7b2e0fed67f37df10630dfaba0453b28

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\JoinDisable.bmp

Filesize
153KB

MD5
23bfb6ffee48576f305e20815791e214

SHA1
729d1eb16422414148fcf7617e2e2c9172ba0d60

SHA256
09c02cc884e97a5ad8cfd01b2d940e7d7fb5af7bd7dfe502b1fa3870b15baf17

SHA512
db9f71bf89b797d576d688d63ce62166aa60905a170be0e309d53f365ca5434d024f977c1c035dd24ba1cfff575b88631efceed5899121fd0c35e6b5d54f9fae

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\MountUnblock.jpeg

Filesize
163KB

MD5
29789e53115ecd7f9f0805a6a64d8ac2

SHA1
c5e1b064a31d757ba44d793bab2dcdb88b38a485

SHA256
a6ebeabfc480dcdd347ac8e2bd325768aacfe40e4987fe99eb899df4f4dc46c4

SHA512
bad4b257cac71ef90564f0248aa0b92212581107fd1d0da97c37c60921b1a8dc28a27a12317b04f26c9322973c141184123c92f65edaae8b9876d4b928aab02f

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\OpenJoin.bmp

Filesize
183KB

MD5
3b855d12e9a0bee7e34ad5f80a71651d

SHA1
81352135b3294f3b216e664c6964bcc9c93116f7

SHA256
79bc94ccc8716e83814f239adde1bbb20cbe97569c5e682ab26a42977e06e079

SHA512
d044e5780f77276dcef8f8067c44cbb43a5d7bb6cfe12169367ebfb94a034fee3e5b30f033bc736b9b8540ca47641e2890bab3db09eb443d92dfcbfcd62687c6

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\FileGrabber\Pictures\ReceiveMeasure.png

Filesize
180KB

MD5
cc7dfefc028053be39686fd4ff422e41

SHA1
f377227cce1b9afcd510b300aeb9b9b47019982c

SHA256
eb64a4fe809ce30cd5fd4e977cab0b2ea84ebaabc6acf40458a46a573f26e693

SHA512
098f7defdc390bd3c89167a628d17ebe519f251e2989f158036d5a29217842d1645fd4c2339d5bec95df3ed278be03ec395117836a020777439f3e936589d34d

Download Submit
C:\Users\Admin\AppData\Roaming\OFGADUSE\Process.txt

Filesize
4KB

MD5
2f58c4975120aa0107f0f5693ed43a2b

SHA1
cdf4adb602386262aa5d10578b58580ade729d30

SHA256
c9e42bbc512ff5103ba92b8e4c63e8ce3a82dd25d85a56857b599ab205d18a51

SHA512
e79e712098b80b8c32681272d1b3589110d97e8987ca815eb604c786390393bc7849fdd74aab9f9b28118482ca59bfb39f774c808d40ddedc1dd3beb2025a37a

Download Submit
memory/1888-40-0x00000000060C0000-0x0000000006152000-memory.dmp

Filesize
584KB

Download
memory/1888-1-0x00000000004B0000-0x0000000000506000-memory.dmp

Filesize
344KB

Download
memory/1888-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1888-2-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1888-41-0x0000000006710000-0x0000000006CB4000-memory.dmp

Filesize
5.6MB

Download
memory/1888-49-0x00000000065D0000-0x0000000006636000-memory.dmp

Filesize
408KB

Download
memory/1888-277-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1888-278-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1888-313-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download