stormkitty | 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 02:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Size

320KB
MD5

1b8dac31eb30bd909fadcd9738c832ca
SHA1

3d5021b656dcb39863d39430a4eddb5d6eb0e177
SHA256

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
SHA512

25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2104-1-0x00000000000C0000-0x0000000000116000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.ipify.org
23	api.ipify.org
4	freegeoip.app
8	freegeoip.app
18	api.ipify.org
19	api.ipify.org
20	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2104	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
2104	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
2104	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
2104	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
"C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BCXRJFKE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\RepairDismount.rtf

Filesize
863KB

MD5
fe6559c2060cd952a14fa275d4635589

SHA1
65600718059562c616e451330a262eb7abb1a187

SHA256
1a47a85170c69e4c13a0e7db31dc88876eef2384b7545099b31c00e426736d91

SHA512
d72fa355e4d885bf84fef97202a978f136721853b7be388570363a1ea30260517b9c5a69a2151599527ccd90508c30b990e2b4ea23fa9390c01d654470388e15

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Desktop\SkipBlock.css

Filesize
546KB

MD5
91b3c27dc43b02b6b47049a1d41592ea

SHA1
ba492b4ec36b4b1b8322e9d164afd29a3529d579

SHA256
479de4ba2e0e3ac5e006f75e7f49d56abdd9d7d70351b08826ffe34933e7a9e5

SHA512
2cfba7691296c2c8d4c1573d9a306494831c639d36dbe30eee68f2c77ff6d94067ee0131e953e9211dc612db5b33804acc09b2fff3c0301b9b34544857e2d9ae

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\NewConnect.doc

Filesize
671KB

MD5
b3ed3dbb3e92b549b519b0e8aad3da14

SHA1
115f36e841ce12b9fb40ef257b749570c2c74ad4

SHA256
6046891adce74a2b0b38ff356d13b50438f1964cf9360ed2efe0a893a2513451

SHA512
7c46819f54b1b5bc5fb0ae43fc068f04ce7b83655a9443af7be9d426cf1650a7dff1cdce69b85e4a6fb0fd22e59a1dfb746a92655fc4e692c955e1906a17d1f0

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\PublishMove.doc

Filesize
170KB

MD5
a743333b6d1d77d176581bc3eaad05e9

SHA1
886da3881fd19d2fa2d93b15c005d33f52b99a17

SHA256
5cc672ba75e1f2df7a0007c0548e31b5653436d14423d90753331d7766f03dbb

SHA512
6bd1ea2739d81226abfdd6df64298e08a5fb11fc1422a1404fd5ded208b5258dbf679777b859f9a144cb5bd36a624e86c1156721b6789c9ed0791468b3bea0af

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\PublishRepair.docx

Filesize
216KB

MD5
c1738d207862edef2504e1715bea2edd

SHA1
8111846072ba446450f43cdb557f016c58ca88a3

SHA256
126cf8c6e7c0038dea9be07861129bcf4144e1027ad3e7da29f4284dd57c5f44

SHA512
53a987bb460c2f34f0d59f8f554a9a4f16966a0e40730cb23699e9728ac75b87944095f078a825d2625205c0bd5c0decee715fc27fd37400ccd7053718aeb09e

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Documents\RevokeExit.html

Filesize
182KB

MD5
d9442ab31581bdaf909adbab59ef5be6

SHA1
0f0e4da94019b1108209cfbb2d1fcfdb46534b6a

SHA256
6edcb3056c431af02c8e1305fb1827be2e365a5de619dab998cc334ef543a201

SHA512
09874d6049b5b317b7a2a64b58a1403dc7c3f078b863d17bc1c8577222815485b081e6d48c8d966b5da1689d832cdf37a26984c502adb838debafc9cef58b82f

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\CheckpointMount.bmp

Filesize
506KB

MD5
e60e3e751bad7b2033581c6d8fd48aeb

SHA1
249acc4ac0f547274f1264cdf97fcb17449ec783

SHA256
8f36e3a6332678dc3549dae6187890abbc9fe4aca15bdf7c5dc1f7819b8cd6ca

SHA512
b987dac605e1a56f829381c9224a1e6421d1554bbdf9287213ccaf074913936dace0c78458545204b8fad4b7e50ff20f168f8413503bf00725a475094f7b9a37

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\MeasureReceive.jpeg

Filesize
610KB

MD5
a7565b16ebc026a3c0a5e65e53d95d28

SHA1
6c1700d4e95fd105c7f08e8543811ca115adf01e

SHA256
be069e3d31b6126d78bd733d8824b4093f9813755de7d7fe0fee268fbdd80c59

SHA512
52a752487c09a2993b70bec2db054217bfe543d19185ab0060b5884a94190a514b0d17d84fd90c42c5b5aee9acb71463ffba28b167248b345a3fd2d8652f241e

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Downloads\ProtectPublish.docx

Filesize
774KB

MD5
56c4dabfb656e37403d7a8cdf228e268

SHA1
c26f7cb7c93238e08c9a7cac2f16574e12095b4f

SHA256
cd9c87bc81ef3b1e4ee9ef116a1e927e58bfcf0f127b70308f093266096ff72c

SHA512
b1ebfbb32139e9e6fa04e389cdd45de2c144b64b838f564d71e94c32433e34fc74376670112b1ad30917e240a270b2bbe40ef8ae0ec14f7c5c7d0512468b67da

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\DisableExit.png

Filesize
179KB

MD5
82d6d5cf37b1c2e09123db540bba49ca

SHA1
e758a08e53804d44fac45d811bf77c336456cc04

SHA256
c05ab1e47f455dd8699ac55a6d8584eaad75bd8a34df76d6b25f6aa80377eba0

SHA512
25cda6d65414a352efdedae983bb15da83e1870b2c232f0e72a4d198963a9eddb5907395146bcf7922d5fe271de542cb475f537c6972e4e74c8730bf3b85e588

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\DismountSelect.jpeg

Filesize
346KB

MD5
061cbe227921ff0ada60a401f1a14360

SHA1
5d8887029312b116b57c33054a9c9c3015e4427f

SHA256
2de9625c1c6d4a2e002df8236c72cd82354c89c6cb294f41e4df3b24d25f5e0e

SHA512
9a91a0d15eac9313a6961fed56d1298bb3def5a6eacdc414876b1b6284d11bf70d423f772aabf339582d9bdc8028b4581cdc67fcd4d7520144f67847c51847b5

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\JoinUnregister.svg

Filesize
296KB

MD5
0a0b0182c6d4c65f21f6d4166b7f5e22

SHA1
d7be483a0c6d35efde3c1416893d842889c31683

SHA256
1c386b3f401cff15c40f85f17db7621f068bdabc05a16137856d7fb2ec4bba89

SHA512
028bd691427699e86a6885b50815faa0a259aab6381a149c5c36b5b5de7460abea079aeac110ce2a398654342289c1049fdf82e0363edef418b2932524159a79

Download Submit
C:\Users\Admin\AppData\Local\BCXRJFKE\FileGrabber\Pictures\RedoStop.bmp

Filesize
405KB

MD5
75ef36f3e55b9fa2739aa9dd04facebf

SHA1
75e444eead01c6b60ae4f4a188bea284cbcb798a

SHA256
23dcb8cd28d037d00a1ad33a8d48990afaf1e213e6113d3c936d81227404f43d

SHA512
841bd8f153d56073fe070de7861eea76f33485d49d9de716595d4c3987c0c558b817a53beeb4f54a80bfe5bc576ffee7212d442c32d5f28f52483739cddfe9e0

Download Submit
memory/2104-86-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-85-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-1-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/2104-0-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2104-216-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download