stormkitty | 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Size

320KB
MD5

1b8dac31eb30bd909fadcd9738c832ca
SHA1

3d5021b656dcb39863d39430a4eddb5d6eb0e177
SHA256

80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
SHA512

25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4376-1-0x0000000000F60000-0x0000000000FB6000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Downloads\desktop.ini	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	freegeoip.app
6	freegeoip.app
35	api.ipify.org
36	api.ipify.org
37	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe

C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
"C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HGNBWBGW\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\DisconnectOut.bmp

Filesize
1.0MB

MD5
ce4d3ee1547060355ddac8ebf1cab692

SHA1
577a1df852228dac2e7a423117417a038185d478

SHA256
b9d00e6de4f004e0f7911358f5b63c5e61b76dc32b4cb516dea17ba95a435c9d

SHA512
950ebb795cc2f8116d5467734561a444fd88fb6ee5037c4ef84a6e623fa9e7e8e72d07afdb2985f0af8ea127dba67fd3793792062e30c09d4a91901d2c64cb48

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\ExportClear.php

Filesize
480KB

MD5
7dee088030a392c36dbd415cd21a5beb

SHA1
f7a6120265b7c430983d9c4ec3b86d049e5f93bf

SHA256
b7d07fb87f5dcbe7cf7d4e21047eb8718971227c9addb3c26e21597e7c2ee456

SHA512
48e73c6bd9456af3e5c2d7932e042b7cda0c694a2fea9096dcca6e63321259308c7508abef8ed3c495285577f920baa5754bb9519bec0dc7a1d38810a72ca002

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\SplitWrite.rtf

Filesize
715KB

MD5
515e99839f179b491afcf012256211aa

SHA1
998d5a6b09b3c837ab4e7ce746a1230b94bc76eb

SHA256
bcb5b7779ad90305250c0a1f713e6d10d9404937950c74a555379d90051a86e4

SHA512
ab9e9a99bde670a1e73d60a1d16a16495dd4fc4772ab574f23e8495c1148c680ce187f4b63d933be79b87c2b574c4b0df3e27816a9fbd5b17498b30ea046ec58

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Downloads\RestoreSync.bmp

Filesize
605KB

MD5
d093b070c850bd3cfc3ddb45da91397f

SHA1
c022b0ca64ac75e9feb598b6cc5b7cf2a299b5b0

SHA256
5a768b783154a8d314c906e72cfc09e7ad26f8862ec17860515c484774f500da

SHA512
76a93e57e111d71eaeba38b5c2cfbb6eaf060d06b340433701df7a4c2887ea76a2af21e0c04e0cd26e8620045e60d36821f22bb6ee457284f34b4a9247b739e1

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Downloads\SuspendDisable.js

Filesize
637KB

MD5
3991e5ba9bb16454702158c6f7db716f

SHA1
ae019a398a9e7d7b072dfce1a7376ea7644ec0f4

SHA256
4b99fdec8a66a823011344792f4bbfc12fdd53090086956ea6ad33d92f164f5d

SHA512
5af378408d6a3e413f73e0c8754f0b37c8673d70182049359b1c09acaaf4d927ddf577b58a8966ba62b9fca1f9cc93a67007ce0eafc9347a8c41b44964ee238b

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\DisconnectConvertTo.bmp

Filesize
872KB

MD5
e1db786840203515f971830f2964655a

SHA1
fad4c3cc90367d5ae0fb28a53525ed75a793b558

SHA256
60cc5f9f8397111163ba46ab51b1718c04576531aa0475fa16ebb429872490dd

SHA512
3ef50514ed13d102e80b551f80382ed97ab76ce04b903bfa606a785c06ce70186264d0fea326028217dd8389b731922303d2cfec82232a03514acad28d824e74

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\DismountClear.jpg

Filesize
562KB

MD5
25495285806ad4b681b834ea9fc49cb1

SHA1
dbe096c6f2f5d44210e22ee5bd20f7e822d519a4

SHA256
b05bce41239cd8e80e0768272f60a425c0c880891092777c484bb83504875c91

SHA512
b5656fbc1e35a996987618209996675da064de7e0c53bd206799d4c4974f21d58d2b9fb1631d750fe9fdd43ec160c1a587bbef33f8cb4c0c38129c5b7efe522a

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\Process.txt

Filesize
4KB

MD5
ab1e2d4a7ea22e80b55cc29254182153

SHA1
f4a209ec595f3d9d59549140762c057f18579df9

SHA256
a5feb6851518c84920ca7111e9f6330a1a74ab3f84dbf7fc514f31a1f88848b4

SHA512
63889e9ecd253b020f240cbe24a5aa834c327147efebd5d40283a3c75745344b3a255211b9c01e8ebb56ff9f19194314ea03d97cc8f48d6d2cb3eb22dee5e1d3

Download Submit
memory/4376-33-0x0000000007150000-0x00000000071B6000-memory.dmp

Filesize
408KB

Download
memory/4376-31-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/4376-25-0x0000000006C90000-0x0000000006D22000-memory.dmp

Filesize
584KB

Download
memory/4376-2-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4376-1-0x0000000000F60000-0x0000000000FB6000-memory.dmp

Filesize
344KB

Download
memory/4376-0-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/4376-226-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/4376-227-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4376-252-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download