Overview

overview

10

Static

static

10

rdp_stealer.exe

windows7-x64

10

rdp_stealer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rdp_stealer.exe

  • Size

    320KB

  • MD5

    aed949c2645ab1e4671d9cbb6306c063

  • SHA1

    a2cd06f61a2d220b81f62ca62ebe6df3246e6837

  • SHA256

    1f5d9a0d8947fe2761530a5e024fcb655b04cbd57bad826d45956153f74938cf

  • SHA512

    a23794c977667fb59d73ff9781d7262b1f02419bae3094717df0e5ff1ac194cd3e74d8badbd58899f5d03face7944becf7e517f3d82cd24b0f545e4a7b7ef3cd

  • SSDEEP

    6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvx:3m/Q6P8j/svm1TXI5tZB

Score
10/10
stormkittycollectiondiscoveryspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\VORHPBAB\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\RenameExport.xlsx
    Filesize

    11KB

    MD5

    df31b621b5ef5a6a1ad35235e5f676e5

    SHA1

    aa93a9375647fae62ec91b2d8aa77e7eebcbe670

    SHA256

    d6366a547f618b15b9d457fd8e3c79558e35188e49f953566879c6a70558f190

    SHA512

    40f045f9301c10e6e49950f56eb8e146d870fc025bca0e0a36dc7a709f1dedebb064e37557e3fa76fc61b3d01a2de0137387eee9c81f76fda16ae3d0fe50f0f0

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\StopClose.html
    Filesize

    1.5MB

    MD5

    af9780d413138b2e22b2d7906e30515a

    SHA1

    fe487e67617dbb667de0cd9087f6901149dd6427

    SHA256

    9f986ae4d5c0d18541ca282eef2b8d64dceb4b9cbb9f37481861e4263b91bf2c

    SHA512

    18995b71a4306b1484f80f267ba38646624b7ce8d5a0d5ac2b54f374354b661e330b16bc33d0414b23f5614e988e1929430c72ac565542824ce7977c6f84ee8a

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\BackupSkip.rtf
    Filesize

    423KB

    MD5

    c775b0ed5503b7f16b21441f8371bc86

    SHA1

    e8b6e1de67fe0dd81ba562a994defc8c902eb604

    SHA256

    3812b7d36e87959d8d89bca6e6b9195620821b65180107909389c77533af734b

    SHA512

    914561396488d57689ccc3c46ebefb123da2b881ffbf582e9b7e7a36c0a64633c5a32f2586243a118fa8ade87ab8854e724189df1e390b597a1cef84ac438169

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\ConvertNew.docx
    Filesize

    628KB

    MD5

    81eee53b21a0ed4d9160144490708d77

    SHA1

    67ad0747633d054616ae31704a28962c20231435

    SHA256

    ba6aa5fd70051b5e0ec831ffbe24c55cdeee168d4eeaee8e55777cfc81ac8cfc

    SHA512

    0e4aa4293647a0743723404f7aec0c0473ac797753e7172d7f009ed964e35efe4786d41bf6575297938d89a3cd6c01906eeb77530d4c1915f0bfea6409e364d6

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\GrantUse.docx
    Filesize

    1.1MB

    MD5

    b16d765cad40145c021fe6870f36b746

    SHA1

    bae0017a673d5a3801a1a783d5bfcd5d35d886cd

    SHA256

    5ed86218db4689658142d4f6772d9926040b0d7359cb4947cbbb5ac09b4b027e

    SHA512

    89b3b63bc562e2274d30db44a5189f76b697ccfb14845202ac39aef9296b5e4864f37acd28faed9a79de02167393d689b7e2a2b5af8482924ad66596db31afa5

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\ConvertToPublish.docx
    Filesize

    348KB

    MD5

    e72f26bd3f459a436213ffc006c47d54

    SHA1

    f3a67ffe108640c2440c0aa2012cca181477b347

    SHA256

    f2314a7cf8289bc30bd40878350d48672d3ebb81a534f6012deaab219ac9d8c0

    SHA512

    00308c62ba291fb0ba8d0ebc2248426ed1050d6866a2732a645981a02cfa6eb405041989d5aa25a12b547d32ee5e4aea618cc527c88faf3df9819cc83e1e0f3c

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\RepairOut.html
    Filesize

    333KB

    MD5

    32669bc86713bfb4c59faf08806da802

    SHA1

    660e520c990837f1e7502cdf2b1d0c3489a68744

    SHA256

    c31a555f38be7ec62770aed431e38f468d6a92396cd4a9efbc6688e94c6e45c4

    SHA512

    499e19fed322f741c9cb76521f29a09526fc980efe3c13648f7d74ebd78b6c09c58024ef69c8d2ac181faca20aaf9bdf3e8c359abc535b54ec0257324bd33360

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\ResumeSuspend.jpeg
    Filesize

    589KB

    MD5

    84456216fbdadf17e803c6d065b91e77

    SHA1

    87f3f16f26a5c0afaf68925bbd1ec827a7a72da2

    SHA256

    d8efb3d4af5f8b42c49bf31c295a55a79d0b93cbf6a5d01cde7f9bb9b6947f2a

    SHA512

    e9a5412013061f5ba6bc3952cf5098313f79168d2b49e94c7618b0e3fe32d23fefe3007627173c32c29265ffa46a947721072a8cca42be6fa8695061cbd3d886

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\ConfirmAssert.jpg
    Filesize

    466KB

    MD5

    367ddc2c0dbdcb3d207c81c97d22420e

    SHA1

    861e86e55644dbb8c17e81930ed7a678853a08d0

    SHA256

    7479d2e7540395232386d4aacd11210ecda6d40979b44e7ea7bf93ad4e5a84a9

    SHA512

    e32189d4d51105ba393ca4bef3ef1009df253e470dbf09d7a05a18e5f874fbf17e461476efab6f523db686516f11cd44e6a40df28264911371ac69a59186c8b5

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\DebugWrite.svg
    Filesize

    329KB

    MD5

    293ffbbd6b39502ebb12562cd9524a63

    SHA1

    a1558bf1142053d6cd5a348a4ad6b912c6899ccc

    SHA256

    737a9ebcd381b08cd33a3411e064cfc47d3514f666e322b42d851714c0224e6a

    SHA512

    0a42c984eac0948b58451c4166311a905e1e7e76f0a6fd546181dea2b9426273089ca5b158cb434e2548427a1486f6008a7e8162004fe083960a35f38ee89caf

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\MeasureRename.bmp
    Filesize

    238KB

    MD5

    64922aac9f5cb74d6921c750d7532421

    SHA1

    89c463e8943a445b18a183044dbf05bcf453832e

    SHA256

    96d8b1d8ab234ea1bfd71948b1a08ec996db4d60b5d4e04abe3b25ee62b5fc1d

    SHA512

    1af1ba6280c08d7266470d5db8a4a37c858d51beafe7e956ec2931b8561f15e432efb1162ec7fe7ed8299e101a8367b7522e7183fe79882c49d0af74d76adfe7

    Download Submit

  • C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\RenameExport.jpeg
    Filesize

    398KB

    MD5

    90483dcf53780afeae380c46d3a064cd

    SHA1

    3983ff044fbe44d4158183c1ae6db5fe26ae81db

    SHA256

    cfc3b977a2a3b3e83841b77cd9d0879608188f470a542d19f339cb35942aff18

    SHA512

    edbb2ff2375cf1cc4e0cbeafba24ae822eaa34ca774d8a6e550833a3bbdbc24e7d87e76ea1d089dac02f77ad458d4bea5dda3c3bf26a3ad403670e96458f9d15

    Download Submit

  • memory/1596-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-1-0x0000000000390000-0x00000000003E6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1596-2-0x0000000074B60000-0x000000007524E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1596-172-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-173-0x0000000074B60000-0x000000007524E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1596-200-0x0000000074B60000-0x000000007524E000-memory.dmp

    Filesize

    6.9MB

    Download