stormkitty | 1f5d9a0d8947fe2761530a5e024fcb655b04cbd57bad826d45956153f74938cf

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rdp_stealer.exe
Size

320KB
MD5

aed949c2645ab1e4671d9cbb6306c063
SHA1

a2cd06f61a2d220b81f62ca62ebe6df3246e6837
SHA256

1f5d9a0d8947fe2761530a5e024fcb655b04cbd57bad826d45956153f74938cf
SHA512

a23794c977667fb59d73ff9781d7262b1f02419bae3094717df0e5ff1ac194cd3e74d8badbd58899f5d03face7944becf7e517f3d82cd24b0f545e4a7b7ef3cd
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvx:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3440-1-0x00000000000E0000-0x0000000000136000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Documents\desktop.ini	rdp_stealer.exe
File created	C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Downloads\desktop.ini	rdp_stealer.exe
File created	C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Desktop\desktop.ini	rdp_stealer.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
36	ip-api.com
3	freegeoip.app
6	freegeoip.app
34	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdp_stealer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	rdp_stealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rdp_stealer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe
3440	rdp_stealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	rdp_stealer.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe

C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe
"C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GYHASOLS\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Desktop\ImportBackup.sql

Filesize
270KB

MD5
10c930c69e6d19bbd19da56f5a12d2b5

SHA1
9088e2bd8733dece854a5513542f5217947ea3fb

SHA256
94e2cae84b425c71a2aef601947e567d3c2086652f8a98ac23b849da530987da

SHA512
0b3c1f7a5ef174ffaeeb17d5e061cdb868c01c4bce1ec0b017a1b9f9784c3746534455a99c219d6a1a6e6331461ff936e76639883016c6e34c7bd45496222036

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Desktop\SaveDebug.html

Filesize
434KB

MD5
23c6d57546bafb82c756e144808b64cf

SHA1
36fbdb4fb72b4e3f3e02e60a231babe8761b048d

SHA256
deb7a2261c011935970ec9d9eb5389d0f9c17b01b020cbb3402e9e2b7e55f7eb

SHA512
bc0ddf6e2f52f2758380e1092e48f9461de501a5021247dba658e1b9a7511110ba670a54b4e3d3c3362dc34bf63c70c5b81ef4f6c34e435c14abbf67a76ae71b

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Desktop\UnprotectPush.ppt

Filesize
470KB

MD5
a55a141dc3a5081ae725f2ab53cafbda

SHA1
5dc91842cd46027133a9ca5ac3a63e6b0be490f8

SHA256
571c84e0e1936b36632ea218b341e67c3204a289cbf15d19961574ca6d782f5a

SHA512
6da0854fcfd091f8b3c3f8e82eb2ffbbbedebba54c3cdfb76d566161df7963e18be5377de084faad6a576d0662a3c0072cfe65697a4d57005cd62772fc5a3c16

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Documents\RepairCheckpoint.docx

Filesize
1.4MB

MD5
5d647b2ce987c9e6b99988300c25bd28

SHA1
c11561be0bbf2e91bf08ab1691f070647735bfe0

SHA256
bf3dd69d2e089cf51c572b20734a472cf54e4163fe26213cb65ce51bd9991113

SHA512
148308b0469eb241edaf067b53e7c4ff2d8775e376242d3200611b7d3e005dd93c87815ca1af05d30e870f2aa79f3a3f40244ce0a60d8f2ea22b044d4706e162

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Downloads\InvokeUnregister.php

Filesize
443KB

MD5
e68d2085d9389fbac931370153e688a0

SHA1
e240ee05a6bd6c67c91661d2558bfc50614102f4

SHA256
9df8e6fa4d85b0be767933a134b5bf9ff9664ad0e5943bf1f47b6292abcd60ce

SHA512
3c5287ba4bc22e5831f39d620ef8289dd701cf8a4aca064938a6599c9fb19e49db1dfa8ab698a3edc75d697f8a9ae7162b315ed42d79b8555d2a01862fc59eb0

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Downloads\SuspendRestore.svg

Filesize
392KB

MD5
d6bd0fa5f2d9522e3774b09a9383d967

SHA1
eec8dbafa407b82de09feddc69c2760e76475066

SHA256
7801b6729ce82c19ea842fe16697801aef12242ffb62ea32234d3885f1473923

SHA512
08c6ad5ab7b3bf6103c372b9900a75c689deb9683a15220e8a36550ebad57e19239159b6fecd1241baafdd8cdc8cf66fc4b168c006f57e7c2e4e0b2ca4ba0db6

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Pictures\AssertUse.bmp

Filesize
220KB

MD5
110df8bdaf2175e191af9942cd1697dc

SHA1
27e9b83e4ac98d1234b49e02d3059cc8d11fe85b

SHA256
07e1aec7aa8206c922aa58ca63541adc25a85569da22db5abc02bee09d4719cc

SHA512
2acbd29a6301ffe1f64687d8d2f4835478e882551a4b67b75a341662899858ad1cd69ce5b5f7e83132f754c31e78180f1f45db54ecfaf1220f3ec9a53968894e

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Pictures\ClearOptimize.bmp

Filesize
451KB

MD5
fea8767357b603dc19889257a64f1613

SHA1
9080a407a1f11fd6a53996109cbde040e6021647

SHA256
6ff65a9f98fcda4f910bcf29d26c8969fb969eb28b81a83d6a4a94812853d5d5

SHA512
122b830eb0f8575f563f3af074f7fef555803f342b33574f114fb77bb7b5a56e5374f49094925cbe04c67be9858debe0cb8598eb1956c7eb22790ca2da03c0a1

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Pictures\CompressReceive.jpeg

Filesize
209KB

MD5
16249a9bab88018cc7c002f5e0702ded

SHA1
5186596d37e7ed930a0d0e334c39f0100a26e301

SHA256
4c1a604c87351ecfa989d4d22f05a672d6b8c64fad3b53714dba5a62c6a95804

SHA512
59dd52e2a8137257018b5176e33851eba91bab50f4309a81701f5ee819b65ea91cec41fc881e82b95c6610ff5c673c6f191b0fdf5351e4da954578752bb4bd00

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\FileGrabber\Pictures\DebugConfirm.png

Filesize
506KB

MD5
283ba7c13196636bd85bbb8bbae6501d

SHA1
a824b0ae62844e1c1e620d1feb2c33558e2b47c7

SHA256
b6510cc299c221e40ea089e7b9e53cbea22e386a4b99e87fc3fe6b3de6f8a2e7

SHA512
92ca1a0468c5092458c3d7c8866a79298e5e2ef23e5a8cc5c36f117c77b242c972f3b609d29f5473a6cb5e369885d950e2341d3c5f36b0d27199312e87002e23

Download Submit
C:\Users\Admin\AppData\Roaming\GYHASOLS\Process.txt

Filesize
4KB

MD5
2253a93df8fee889d868c68f2a0a7e84

SHA1
1b8e9ca4f46502a2579f7486004adad67d7d1213

SHA256
60b1d24b16d16a761f10e8282362df4f3c583300f19f97bea4d0d81e5b0d2c12

SHA512
aee86dafd17509bfa59eefe7a12411a4022118a9a7dda690055425dc37103936f7cefe8d9ce557756dc45ddcadbc53506eeed1e33d52c58f27130b0307ff302d

Download Submit
memory/3440-32-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3440-27-0x0000000006330000-0x00000000068D4000-memory.dmp

Filesize
5.6MB

Download
memory/3440-26-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/3440-2-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-1-0x00000000000E0000-0x0000000000136000-memory.dmp

Filesize
344KB

Download
memory/3440-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/3440-233-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/3440-234-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-260-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download