stormkitty | 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
Size

320KB
MD5

1b8dac31eb30bd909fadcd9738c832ca
SHA1

3d5021b656dcb39863d39430a4eddb5d6eb0e177
SHA256

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
SHA512

25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2256-1-0x0000000000DE0000-0x0000000000E36000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Desktop\desktop.ini	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
File created	C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Downloads\desktop.ini	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
File created	C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Pictures\desktop.ini	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
13	freegeoip.app
36	api.ipify.org
37	api.ipify.org
38	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe

C:\Users\Admin\AppData\Local\Temp\3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
"C:\Users\Admin\AppData\Local\Temp\3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZTSLLRFH\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Desktop\DisconnectRedo.docx

Filesize
266KB

MD5
99c63f34188b219e4d21cd0dd6768b10

SHA1
60d2e34b14817f385abf34c3421fd7a3e4811440

SHA256
1596227a61be1838c5b4ccc1cff382385ff44c17b7499a4d8d8adfa5c8d611c4

SHA512
77544cb93e0f3e64ecc56d432afe42457cc767699641ca367ab1ffd1c4993c256db693c51c7a23b68feb1e1b813b3b88149dcf91f8bb1f0a7e45655c614be824

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Documents\AssertResolve.pptx

Filesize
821KB

MD5
4b8b73047d541673e491a1f139c7659f

SHA1
290fcebb99601a24c55528770377322861c7f483

SHA256
5278837b7ffb410a3c6b170c03f69c4e98e8a72b03f8e2effa320fec0ce067f5

SHA512
451763e43f0549d55c335c556ed2fb0b06c8363c372dce576296e25d73c71df9268a0e8787db468fd1b09f4500ef8de578cdbbb542803c14638918236862c881

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Documents\DenyEnable.html

Filesize
844KB

MD5
50823f0776c7291b25d82f69fd53cbc6

SHA1
71d833fc9221df869695f99b5e4db166f2192648

SHA256
b2163fc4de41dfa07ddde464f275c2f9787d41bcbfe760f70cdfabccd5ae7d42

SHA512
5240b57165a483fc8ad6542f1dca3e3f1c5b87c7d574a9bc2e03bfe0157130831eb5f038271d5e2e1628b4859d8dd45951fd18ac91248ee62a7ec046766f69bc

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Downloads\BackupDebug.xlsx

Filesize
579KB

MD5
923be8de1e5262d4603f8ca587af6977

SHA1
eaa0ad1f2d861191250a1bd6ef140d1ac5c49c8b

SHA256
9e67df3fd74b650861701c52608e1039e918e58b9c31800b847f89eeb3affd58

SHA512
537dc6789a6e2302dc9507c334b62e736f1e8dd8b59751f3dde1aa8f2cc2317541f6494279d0a19edddd3f833f8be4f1c25f31062867be92d4421a3d6ea09fa3

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Downloads\MoveSuspend.jpg

Filesize
325KB

MD5
060f8e49bcadc78475aebe351e6cee6b

SHA1
bad77ec4416209d25ddfd4716d498e87077d1629

SHA256
4f3559bb6e1fe308352520b2e39d8c91f5a06c1ea9431463dbfac3eedecf3dbd

SHA512
1176e65c2c76a7c022c0d39d70ad7279b5a536578d1e929b78281691a6c14d99597cf88d5d1018a385cc86c7a005030a89b00bdd889d4234373b85c68136c7bf

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Downloads\ReceiveInvoke.rtf

Filesize
468KB

MD5
e607f0778d69450f125ddc35d97a72f2

SHA1
b53cf5df913ff51c5f86d1972674557a4aaa7a9f

SHA256
168f5924e6b4cced29f436b47adba675fbfaa9d954d1978e3be202c6a268a425

SHA512
f2b22b7491929ba095d1ed998fccc8ea3239883457683e9cc4cd498e7708cf5ec37b32204d038a287d23b746330e48d7d7a2158baac96f344b55718c6439fbd8

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Pictures\CompressApprove.bmp

Filesize
269KB

MD5
44a9807c8ee49233a4a262ac3fe9eaab

SHA1
6bbdf28a2d1c8d386ab2e316779632d48661e188

SHA256
cd8bf116b9686803f691f4adf0aa39584ef9e4858966b1f36ef74b696560307d

SHA512
f2a08546f8b477d4dcb8f129ba93e166b3cfbbce40d0e534eb133fb8e020fe0b478a151560da7dc4109938878d9f6021e73ba1ebc70097e8d7377ad6288a2395

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Pictures\CompressComplete.bmp

Filesize
553KB

MD5
a4513e109dd885cc5018a352bf8016f3

SHA1
cf3a4b3f5d500314f856931e4e35647081ab7f2f

SHA256
25725356b246c0e32ecdc6c1de19d6dcb3139d40d54214be8c2b525e7b608791

SHA512
f11449bf59a0bf898d925c6b9f429dc49aa1be9fc9e16d91b6f1886292b196418f220efb3b037b0213ec15c4e4d314d914773c6b32762a0bca77d776dd6d6983

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\FileGrabber\Pictures\RepairShow.jpeg

Filesize
1.0MB

MD5
5859e010b15d6739b5aba061c6a50475

SHA1
d450f1d2001d28aba8fc31236a7d1b89f2d1ea17

SHA256
3344669ccd4f999678d9925637f5f7f081cc71c1b8dfdab1cbccc39c493b7453

SHA512
eedd32d98321cd0e1bf3abc887446a311ff4aab385ac9073919949c7e0d505757c7b77475a0b0624d31555d3042232047e34027dc74fbf890975c58e3a13caff

Download Submit
C:\Users\Admin\AppData\Roaming\ZTSLLRFH\Process.txt

Filesize
4KB

MD5
129c9e4553b68a6a7b620343f3a30995

SHA1
70ac472a4d80c9d314af9e2c892ff431305efcb9

SHA256
bfd039928d6dfef91fb76b3e1ccbc8aa596839f9ce3cbbebfe66501f30208d55

SHA512
57bd26fecca7d429d915db44a8a76228d5a69860c001982efe90f6d6a0ff3cfe2d12630fa8266b112cedf5c65228816d1e9983bd731d58bba9eec766da413b11

Download Submit
memory/2256-35-0x0000000007050000-0x00000000070B6000-memory.dmp

Filesize
408KB

Download
memory/2256-187-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/2256-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/2256-30-0x0000000007190000-0x0000000007734000-memory.dmp

Filesize
5.6MB

Download
memory/2256-29-0x0000000006B40000-0x0000000006BD2000-memory.dmp

Filesize
584KB

Download
memory/2256-2-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2256-1-0x0000000000DE0000-0x0000000000E36000-memory.dmp

Filesize
344KB

Download
memory/2256-226-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2256-250-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download