stormkitty

Sharing

Copy URL

Twitter E-mail

General

Target

venome OTP BOT.rar
Size

148.4MB
Sample

250117-te1gtavmbs
MD5

663d68eff9295c6bf8bab560885602e5
SHA1

f29fcf32a1bc8259f1bba4ac54508b0873f227d5
SHA256

6c303c36c48e2ad0c03eea089525a959f9d90e9df05544c5dc8ae499bea8cfe7
SHA512

f76ae13dc6dcbe814fd9f42626518207818e7e6467efe8209a6d2fb2cf2b6f3caea886612289d4dc9616c9efc5f7f73231fc8249a590b44e0f235a2836783dd3
SSDEEP

3145728:E8jJRp/YRMb4d+x0DqKJBcJQcjsem2TkoFAlWw2SNQpHgqAkjS:tjrs+Bxj02BFA4w32dAkjS

Score

10^/10

Malware Config

Targets

- Target
  
  venome otp BOT/OTP BOT/DotNetZip.dll
- Size
  
  462KB
- MD5
  
  8812d06dc764289aad64c5af59b31fce
- SHA1
  
  8a8d61d7a4144a536c372ff3b2721f9f82e848b3
- SHA256
  
  c89a345f82b721194a3d511415eb38f8390d224725574c242dd24349814055b2
- SHA512
  
  f46671ae4e8c62b39f34f83f4e8be2bc97d10f5f23d1328acfe3951c3c96277898ef249ee91353613e43578f4f3224aab6609c4fda966666d62db46a0e6b4882
- SSDEEP
  
  6144:BF4lenKdxBoW6iev7zBIL09vdGtSV41kJDsTDDpBnse6OVxLV/xQaqYN3fmxalo:BF4lqKdxBdheDES4csRBse6sfDVca
Score

1^/10
behavioral1 behavioral2
- Target
  
  venome otp BOT/OTP BOT/HandyControl.dll
- Size
  
  1.7MB
- MD5
  
  1ffa7237d695541158de09ef6a3fe74f
- SHA1
  
  d46c42d47302bec68b0f42969f7b1bb4a9504d2f
- SHA256
  
  9569eda5c0af677733b29fd3247d48651a5604f21e8aa03ad0fe3508d9609ba0
- SHA512
  
  176bd9478ec75cbe4f26ecfbc0717bdaa69148c5b38a8b14b9ea8477505ec56b982350c07acebe0aae9235dc313b0b64391737d9442ee397546eb3aceeeeb305
- SSDEEP
  
  24576:Ewr+FdUo+3uuobzeXEF7qpILuLUiOBqiIiGiXiIi6ioIP7cTq2X6s8uUpWGGvAdN:E1+3ubbzapdMvU0GcH
Score

1^/10
behavioral3 behavioral4
- Target
  
  venome otp BOT/OTP BOT/MailBee.NET.dll
- Size
  
  1.7MB
- MD5
  
  6dde77d756621d00016945736760f717
- SHA1
  
  7094f0dea1b4c4bfd7f840b63b704dfc9bdd079f
- SHA256
  
  81632ee251474cb656dce412181e9f68f426ba20f3a0c4120c868a0cf05cd6d0
- SHA512
  
  e3389201e9d198be6304b79559d9d5d457cb33c74b441afb7ecafe4aaafb3cb0d583cd4ab8a5eb6045cd934d2c2a4007f6d1474beb5584585fcaae0060f4b813
- SSDEEP
  
  24576:sDMgcE4ilhMM9XBav0OvQRk/9P7miD6MaP7N:sDMgcWfMM9XBQ0OvRmiW17
Score

1^/10
behavioral5 behavioral6
- Target
  
  venome otp BOT/OTP BOT/Newtonsoft.Json.dll
- Size
  
  679KB
- MD5
  
  99f75ea1a4a5a0206d4be30827ca87bc
- SHA1
  
  73e6aba5d4a8be5eb82eca5b5faa2594fbae3bde
- SHA256
  
  99592e8b144529d5e0acc40028758643ae475bcacdeb5288c1a1a3c0502e0453
- SHA512
  
  c3e64c3556f58b171ac6528a448fe44f22946177580cf29b01115783e7cba0037517b40e4a32c948da623cb447038eb713f9cd0617f27f7a5873488b297b4fe3
- SSDEEP
  
  12288:gLnRIXzZu/3yNFCU8xF6xc8yNRaVjI3QMDajj1HiiiR8MJhBB0ihT1fWNUwHOvWQ:AnR0Q/3yN4U0WtCMBCj0u
Score

1^/10
behavioral7 behavioral8
- Target
  
  venome otp BOT/OTP BOT/System.Data.SQLite.dll
- Size
  
  392KB
- MD5
  
  147328def2e79a86d7335a661eecc051
- SHA1
  
  98ff30131d77cf28807d50b97cc92cc8655e235c
- SHA256
  
  7442d48a24c1747cb17d80e95c4d7343de16e14a252484ace3be3fae55b1d641
- SHA512
  
  d26f6627f09cab90ae545df68f2df006f0beb988cfadb16f6af56a454e854a9b9c10d2ce787052b80536f9d05b7286d57e42f361f54944e20df99b3c1c49aefb
- SSDEEP
  
  12288:Omfjeeb63oRXFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5c6:Owu3oRrP
Score

1^/10
behavioral10 behavioral9
- Target
  
  venome otp BOT/OTP BOT/System.Windows.Controls.Ribbon.dll
- Size
  
  717KB
- MD5
  
  c938bb2a9537df587d9a4ce01de447b9
- SHA1
  
  8aee2b2e1c7c6786817a5136d011f8427ac9b92e
- SHA256
  
  c3fd046e992f96a0f4b729a6864d07f2320dc2f87fb34033874429c1f03b6931
- SHA512
  
  70eb8ee86a99f25dc9a35bad85e1dcb82dd16babbea6f2a9e540687caa96de3ccbd1205117820802853b3aa922a302183df8ec9c2cd459a4d5c111958de34e3b
- SSDEEP
  
  12288:CDZDWzv+aVPZDpPBi87JBIgu7PO447irbrM+murmje0Prjk3rNr0kzqA7+pHlj99:OmUzpXlzEOIF6HX6
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  venome otp BOT/OTP BOT/ToolGood.Words.dll
- Size
  
  1.2MB
- MD5
  
  d047d2c045926b9748c73be11ec24186
- SHA1
  
  21eff8339272aeb5f8583e21d39799e0805ae228
- SHA256
  
  155a4e2a6bdf33705a5a1d9269cd080ebac08a7acb8bc736c1a519f84a8dca42
- SHA512
  
  bc1fb21afea84c5f3ad237cda960b62d730df1f2132eaa9e2e104d6600c1fa48e880843967c4ee16ba80831dc62ff14e97bd679f633d03a5cf5923316036f3d9
- SSDEEP
  
  24576:hZP2XzaG6Rv2aGyYRswDBHj6HnLfjU2qaP64XIOeUSJ/5cnGmacfR:hZuXzayzRsqj6Ltq264XIOk77M
Score

1^/10
behavioral13 behavioral14
- Target
  
  venome otp BOT/OTP BOT/venome OTP BOT.exe
- Size
  
  320KB
- MD5
  
  6dd244ddd53c77f55d357aea0f3bc628
- SHA1
  
  30d55d00b20777fcc4032c04294f98f3d6ea6bce
- SHA256
  
  4a1b68b1e57efca7e9b6eb5dd42f264e6cadb86fce91eda03364bb444eeb7125
- SHA512
  
  edb001f6b6c53d7007a63332f16e7f09534cbdd8a2cbc789d9889d4dd8cdb1e1dfea967f0fc03cf1b6e31be2a24fbe08bf9b3b1c2e89631a2a6db49c281b0631
- SSDEEP
  
  6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvZ:3m/Q6P8j/svm1TXI5tZB
Score

10^/10

stormkitty collection discovery spyware stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  venome otp BOT/OTP BOT/xNet.dll
- Size
  
  99KB
- MD5
  
  43199187819f5cfb4777edb17dda52e1
- SHA1
  
  926b4d53d74ed0b35b03e552c1901433d8dfa53c
- SHA256
  
  ae8de80698553ebce2f8be298683138297da8095c523b1b4156fcbc5f05f672f
- SHA512
  
  9f0196fdbf3d681cfce643b3dd9bdcbce3bfb30d77cfc539f25c7ce350e091de1b755ebf821e48556d22450e63ac12dd65be5441183588bb3b69baf2955b7db8
- SSDEEP
  
  3072:dNJJH7HdeR19aNqnV+xnEdGmrwqULY3wiqq0Yas2r:dPJbdqnV+xnEdnyE2
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

StormKitty payload

Stormkitty family

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops desktop.ini file(s)

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18