stormkitty | 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Size

320KB
MD5

1b8dac31eb30bd909fadcd9738c832ca
SHA1

3d5021b656dcb39863d39430a4eddb5d6eb0e177
SHA256

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
SHA512

25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/3064-1-0x00000000001C0000-0x0000000000216000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
19	api.ipify.org
20	ip-api.com
22	api.ipify.org
23	api.ipify.org
4	freegeoip.app
7	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
"C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BCXRJFKE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\ApproveComplete.xlsx

Filesize
12KB

MD5
1c73e3ab06e02459bc199c65a4ddc091

SHA1
8d186dad51116734b782707c45804cf03bb1bbc7

SHA256
33e330f30d8db70ca13ffbafc6f60b7a42fe3f598ab020841ad7ade2796e593b

SHA512
4a446048406f92e15fc52aecb01bf4b14181ea39d40c2dc7ee273660380e207f9668923b9b41717185d4ef98d204597673aaa3af65349c4466bc62c57339ce92

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\RemoveClear.bmp

Filesize
940KB

MD5
1eefc4446813f6071fa8329a7c39773f

SHA1
913aebf7aa7a6b94363f454e5095afd31d756aa2

SHA256
ac034b76037189f138a29e694d17d392d08e68e62ba9ac1a4bf8a98470d86757

SHA512
088989ba3f953ca397a1eb365b9c8aad5ce40b1ce4c700ef156e4ea3cdf547a84cc219c78e9af512fd8200ac4643edfdf4a5b63ae71fd2252d75e1135cbf1b3e

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\ResetCopy.doc

Filesize
606KB

MD5
300ab24cc2e6d6a8373e672d349b111a

SHA1
e795d9e61eb27ec0239c6133dbab4e91f06896b4

SHA256
bbf14cf7f79f673fda03f69a5ea8f36f3dc839321e943dc038c1d61e39379321

SHA512
d773506ef9c293d585511569e7cf91d50831d2151d2b1b464a63f122790986a0c0a11b667b902afa7bc7ef2c95f13af97d50659f9e194d527b991fb771f3c4a1

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\CheckpointGroup.xlsx

Filesize
354KB

MD5
28c285deb88b0e9355451173e402cdbb

SHA1
7559aaff6283235e45cc2596f39248de9d6c0283

SHA256
c9f83be83bd79e935f867f643e0d52d42f95b12789ee17566aaace83cd260f60

SHA512
5a5d19f9a8e5f3ca7495c5a129e7a8791075cbecb7b38412a03377eed1b678fcd36a9fd27cf81cc9515b4f3abe83b5402fddbc2f0f8d8623cbc087a8c80fe5b8

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\SearchFind.ppt

Filesize
536KB

MD5
def8f5dc88fd57181e4781715f70ed65

SHA1
6ac3b000708dacfd7e4d3d5991a6e394a15c745a

SHA256
f44198fd4ce2f9399e36066c988510e6b0e9622a2fd72167917aa848f9bea502

SHA512
50adb2bdb0fc25daef50c2d06f26795fd2bf1cd05b7624417ee7711b978e98dba646ddf42f6d5ebec5a369bdf4b00f8dd88b8b83b541b5c24c0baa237f7f64a9

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\StopResume.docx

Filesize
499KB

MD5
26ca57122a6193ade39d3a99a7aae3ca

SHA1
4c8ba270cdc912a46352ff8d113ca328ab02bbad

SHA256
eef396505f139379434093e813aef45453844fe6e58f8b2415324316285600f1

SHA512
e364aace081b3a57e0d74e178b54a72c488b726c846e67eec81aa506b34f8fb4e80bc67af77f39798ea5909bd3f61712363395dd6ab3159465c11874d7aea31b

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\UnprotectJoin.rtf

Filesize
399KB

MD5
b3ab7f4e8b1a61046b4419d5f24302d5

SHA1
d5bb3bcbcaadbad33aba92a326b43398cdca44df

SHA256
9d995c06e8925a064224736895f348d8efa8926bda7c7c7e7668b096522565bc

SHA512
453ea84bf7c59a37fa2f8264dc59d580cbc65890551b3d6f8ba57015aed9d2aedd8ae463a017670b9187f57f726646c6ce5a11fdd76c9eb6e805317436843986

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\UnprotectOpen.docx

Filesize
277KB

MD5
883945e411882ef8eb3db32f24f16e12

SHA1
59c701e7938ddea1b148d473cef675315551cb95

SHA256
0fe3d41d24cf53cacddbd15e5b6abeed235b8fe374d350db1e76717c48028f91

SHA512
a31565beef4992295588c5fdd24363e567fe1246307273a0e389a83fc8d0a1e156f6c2020cedd42b3bef6e107ee076ee2d36d7dec48afd2141b101c3b5cb80bc

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\CloseSkip.jpg

Filesize
343KB

MD5
bab8cfb6478b762877fcbd343f4497dc

SHA1
764fdc8f84bb11a4a3457fcde54a8c05962f39be

SHA256
7b92506e8521884ba9eb4e56e74e2909a49ae37f523cad080660a95daa30ebf9

SHA512
8880cf59db30ddaf13a4dced1d29bd37b382b14015d6f1288f413819c5dd3fd41bd8d52d03c776178f9da645714a96124bd6782f524c1b21ee4f839af1b45bcd

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\CompressMeasure.bmp

Filesize
545KB

MD5
81e1c826b60513d784c607b2c5ad5099

SHA1
ab6c5d64a4ee1cba59faec7623a82bbba22012e2

SHA256
196c8eb959517cd7701df29aa75568a8bce69eeefeac3643870e9354e7fd8084

SHA512
c931c142a00608c3b19460c36890a31dd294201eb8a1921e34e2633916181a484df0aea76eb80759b52c0054b3c59b9760accdc4f20eb199cfd20585dcad9404

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\DisableDeny.jpg

Filesize
679KB

MD5
1a0401264a972e3f023cbae18fecf973

SHA1
0976f19799da3ed48eed7a76b9945d860d4ff852

SHA256
24efd36130a9c1f89aa2dfeb0dd987af0b8622ae748e21521fa5192cf892d997

SHA512
b634c7f0da42743185edb5ec0394f83a630d6744ecee1f9417394ee41029e27660d08230abc35d43d8d4e47cc0fdf4adeeed6f7b1914b586cc13ddbaf607b470

Download Submit
memory/3064-85-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/3064-142-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-3-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-1-0x00000000001C0000-0x0000000000216000-memory.dmp

Filesize
344KB

Download
memory/3064-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/3064-209-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download