stormkitty | 6c303c36c48e2ad0c03eea089525a959f9d90e9df05544c5dc8ae499bea8cfe7

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

venome otp BOT/OTP BOT/venome OTP BOT.exe
Size

320KB
MD5

6dd244ddd53c77f55d357aea0f3bc628
SHA1

30d55d00b20777fcc4032c04294f98f3d6ea6bce
SHA256

4a1b68b1e57efca7e9b6eb5dd42f264e6cadb86fce91eda03364bb444eeb7125
SHA512

edb001f6b6c53d7007a63332f16e7f09534cbdd8a2cbc789d9889d4dd8cdb1e1dfea967f0fc03cf1b6e31be2a24fbe08bf9b3b1c2e89631a2a6db49c281b0631
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvZ:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral15/memory/2972-1-0x0000000000900000-0x0000000000956000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Desktop\desktop.ini	venome OTP BOT.exe
File created	C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Documents\desktop.ini	venome OTP BOT.exe
File created	C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Downloads\desktop.ini	venome OTP BOT.exe
File created	C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\desktop.ini	venome OTP BOT.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	ip-api.com
22	api.ipify.org
23	api.ipify.org
4	freegeoip.app
8	freegeoip.app
18	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	venome OTP BOT.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	venome OTP BOT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	venome OTP BOT.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2972	venome OTP BOT.exe
2972	venome OTP BOT.exe
2972	venome OTP BOT.exe
2972	venome OTP BOT.exe
2972	venome OTP BOT.exe
2972	venome OTP BOT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	venome OTP BOT.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe

C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe
"C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MXQFNXLT\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Desktop\AddUse.rtf

Filesize
184KB

MD5
14014d8660dcd0851f5f7db18e2924b2

SHA1
b930dd7d388ad4329ecc724ff472e0fc1c0ae650

SHA256
43387144c5209fac1376b9d161f0ae0895fc93e9488cba2fc967acd2790f8257

SHA512
2747b4c7eafeed7ac6a98e889a6d85196c4262ba024d7c8dc9cd7e1abb3578f866a8365fa52d3c9003d6613ef7e8d4ae37408f38f3cacbc541dcf4111849e056

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Desktop\GrantRestore.rtf

Filesize
337KB

MD5
5841dd05e5ee398796158db6d8818c6e

SHA1
3d155152ee8c4dc2f48056cd8fe3a92571263136

SHA256
b431da2f0cbca45e6040d992fb32341aa447b38ce38f10b0a2bfb0f3a329e1ef

SHA512
7f33a22bb4f1c82ddfeb9df12facd89ea752d4a8f7745af4d11af5018ccf3d8128b904dfe2a2236782411ca8477c5313674edda4da663a12c8b7005f597e0ae7

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Documents\DebugEdit.pptx

Filesize
799KB

MD5
f56f1355d902453f4b16244cf6716b53

SHA1
5d75bc89b6a302b8b235e0a7fac7a3ae2e22e9f6

SHA256
0929297df78446677311bb6a59ee9341a63c5a894cb553e1d714fd0a4c0f4693

SHA512
c604e274a614cedcef188dcd8b5991843b7c29c8704886db14d956a15e72a4444d4439922852874c91c4fc29720984a5a17daf002dae85950988afe672545de0

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Documents\GroupLock.xlsx

Filesize
496KB

MD5
e60d26aa9cb6bce7c74030b3892dc885

SHA1
47c6fef6baacedae0ece1a19e8b3da370b0478c8

SHA256
53d457988ae4355ca7a8b10ba95b924da96eeaec258c6d06b9e0fb25cf65f956

SHA512
69af016bf44f28f7680643912517c3da49fcc7b954f2bbf355cfdc93dc37dc75c7b9471dc8206bada5d5753ca346566b7cd3bc366dbfb591107afbc5589af871

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\DenyLimit.png

Filesize
337KB

MD5
b1bddf7983aa3f0c91d8e975af10ffa6

SHA1
767e7bd4ee8b41ec635c1f8d7df28ed0ec5364ff

SHA256
9a114ac0a456968eb6db5ea70eee5416c7e1ebd277cf2594d0778cfa69d3731f

SHA512
9aff8e8641bd0e93c63045bbfafe2aa72a830a9877d9e8c4176cc7067faecb532281550a06db402c4c5d04f446d89666d76f58c993a82c5e34bd87539e8e7160

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\DismountPing.jpg

Filesize
426KB

MD5
3e6c3615f4d9a8d8c2ff95c721e4a128

SHA1
6e3233cfce0646e14ee9adaca9bc1d5b351ad013

SHA256
51f3bf408d95839fbcfa80743a056bc93eb2104f29db23d3d351aa8c358d5ee0

SHA512
e14cd9b1d7001bf3371b8aa04dd080d2e91f1e7584878544a429ce2f241487c43d8be7a48e93783afedd16c4b9bb0e2095b67517f0fff60bbe10150efae55eae

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\GroupRegister.jpeg

Filesize
287KB

MD5
b0a8e98991fbd44c0fec2aa1c54e7d77

SHA1
bf156fdcac03bdb9bc3528707f8686efafcc8111

SHA256
ff691a308fdf311cce3e915e01379e7ec9c065010c686eba7bc562ef7fce4409

SHA512
2b13ce3070ade7b053ddb4849dfca01cb97d7964dcbca5ead00fb0f6beeae7df48e89cf794e81bf40b819e999e30d8a3f1e86bb05e797f3b931ad5409822e8c0

Download Submit
C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\SelectConfirm.svg

Filesize
297KB

MD5
cf612520f3bed0d00214fbb53652be1a

SHA1
fa908b7209095944d721ea9590a19c095109b4b7

SHA256
5dff57936defc6fb00076ef0db5302b649161af1f0400b7d22dcaf516b125cb1

SHA512
2ca84aa300a46a62977b11d2e6230a2cb7734d04645848d7ee46ec1a99c6947fc71134b675f218dd32989284eda7d2a995d32e2e78c44474e8bcb55dd8754df9

Download Submit
memory/2972-2-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-1-0x0000000000900000-0x0000000000956000-memory.dmp

Filesize
344KB

Download
memory/2972-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2972-154-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2972-155-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-178-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download