stormkitty | 6c303c36c48e2ad0c03eea089525a959f9d90e9df05544c5dc8ae499bea8cfe7

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

venome otp BOT/OTP BOT/venome OTP BOT.exe
Size

320KB
MD5

6dd244ddd53c77f55d357aea0f3bc628
SHA1

30d55d00b20777fcc4032c04294f98f3d6ea6bce
SHA256

4a1b68b1e57efca7e9b6eb5dd42f264e6cadb86fce91eda03364bb444eeb7125
SHA512

edb001f6b6c53d7007a63332f16e7f09534cbdd8a2cbc789d9889d4dd8cdb1e1dfea967f0fc03cf1b6e31be2a24fbe08bf9b3b1c2e89631a2a6db49c281b0631
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvZ:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral16/memory/2744-1-0x00000000005B0000-0x0000000000606000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\OZMCVSQS\FileGrabber\Desktop\desktop.ini	venome OTP BOT.exe
File created	C:\ProgramData\OZMCVSQS\FileGrabber\Documents\desktop.ini	venome OTP BOT.exe
File created	C:\ProgramData\OZMCVSQS\FileGrabber\Downloads\desktop.ini	venome OTP BOT.exe
File created	C:\ProgramData\OZMCVSQS\FileGrabber\Pictures\desktop.ini	venome OTP BOT.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	freegeoip.app
37	api.ipify.org
38	api.ipify.org
39	ip-api.com
16	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	venome OTP BOT.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	venome OTP BOT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	venome OTP BOT.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe
2744	venome OTP BOT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	venome OTP BOT.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	venome OTP BOT.exe

C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe
"C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OZMCVSQS\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Desktop\CompareHide.png

Filesize
549KB

MD5
e09c4c5db2d32f1af248db206712756b

SHA1
e5212cf4ffe0566b84f001e67e7ef4615b9c14fd

SHA256
a389b7c460ece6e58af898bb3314ced9e485c9ce33e713e3ad51ba9b8e45b4a3

SHA512
bf6f71b96f3aa6dd6304c0671bc75b13b19bb371352deb8884cf041eef347acde0621f75628e9b9ccbbd2b64ac23f9cd0097660b6f18e119b340c0634f0b600b

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Desktop\RequestResume.doc

Filesize
319KB

MD5
9d3bd6fee36be3d6672acc12af9f073d

SHA1
2fe71297382c0a83b6382e5d19e23d614af3304f

SHA256
f1eb928c962d77075cc1831fc599e8dad6c86dfcfd9c053c04c44e0ccf3c8339

SHA512
158f62db63282fe6a1885750f82d1b0e1f1570fbf4ee77066f9c770308ac155b9c3499c149dc6b86727a93a4878814b6d0ed0d75ef0ba0dab2797a4dd458600d

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Desktop\TestCheckpoint.css

Filesize
1.0MB

MD5
3ee307f1657613da2445b8b3f9d7e1b4

SHA1
ade6d039415933455f5d136e06930ea5e35f67a7

SHA256
c0f6fd0bbc5d412df7508600da15581a67efee319a28835ec41ad26b3c3d4d6e

SHA512
fb2ef8df5e0a55f5760aa8367446b422bebc8c7f984fb728a02e5a748d97e3216ba861c77a85495dad29f42c99b559e6398cf3fb8a25288a7a4706dd7faf8422

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Documents\OpenCompress.html

Filesize
2.0MB

MD5
7e95b60b23b047659626c606966c1927

SHA1
28bc8f409f7637ce2893501c7f6fb4d68e92622f

SHA256
dad37db199c73959ad324a75ddbefda907f79e2bb275303f1e20425a2ad4ddea

SHA512
95161d8f71094f4b030db7274bda03ffa1726e4aa989a6fa05b01d81dbb99112984f4530c84a2f6f3c8ee2eacbf38c8bbd36627c8cb987ac789042c096841570

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Downloads\CopyRedo.rtf

Filesize
609KB

MD5
5fd7253f7d5d7be7d175ced450595e58

SHA1
2301eb59cc72d5390a892b899479a3ce14c409fc

SHA256
3e5f02aaa8eb31adac61d8dbdee3ce84bc9447bb9902472dc08a92effabdf9de

SHA512
e30f4c557444e3495ea5e5294927e102af6eb13d0e71ea1a0e24d49eb14dd4d7daa05416476d4c5bf941bde2c0f99d329e4e936cf8f4cc826b599317ac4b42d6

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Downloads\ReadSelect.doc

Filesize
534KB

MD5
0decedb479eb3e6b6cafeed8266de98b

SHA1
77d809477f594fb509eeafa3f74cd05623802505

SHA256
0729de5a465844bf7860abae07c00e4a46fdaba20d00fcffca9f0006e153e1dd

SHA512
590e6db5742d504e17367ce15bdc55b92f4490a6808cc8f0bd2f98feb0ea4a41891c82627e434b361f6794a819432aefb3f83e8bcfff96e39e0f1b5fd0bcbc7a

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Pictures\DismountMove.png

Filesize
460KB

MD5
61a502a2406b8923a7823b5954fcd559

SHA1
94bd28a50839ca3310c6943e2e71a6e750cc6c91

SHA256
baa8b487c0f143874008c2af5240beeb0848641c08ca4d228bc9e8f20ff33011

SHA512
1770aa5899444a54e30aad79393b051ba2f122172f0794dd678e93c96884f0602f09aa9b35250bbfcbf1bc1572c06b8a561b46fcb1eaa8c3e7c1cbbfb61f3a91

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Pictures\FormatBackup.jpeg

Filesize
387KB

MD5
f8f864421136612dc3d8e23af606d865

SHA1
7559c1d161cbd8b988e5be0be575fc74c6732a78

SHA256
231f2a76a1f944f462a04b289dd5e1e760ad440ce644691233110469d1538ad1

SHA512
971bf976a1954b909d48f3d62352100f96eb83c910ec1f2a02256c65bfa01c341672605f0a61a081b73e03041c29e1ab5fd88867170d922d00a0ac860a6e8b7a

Download Submit
C:\ProgramData\OZMCVSQS\FileGrabber\Pictures\NewApprove.svg

Filesize
534KB

MD5
9b3175df5961fef44c2c5bcc6ab1a565

SHA1
aa2353bbe3fb95e9cc582a57afa8d42f37766eee

SHA256
61cd0f3c63a73a50edc13379dfc5aae2348af5e7626eb489da69e6d52491c706

SHA512
5761e66b912120df39c6eb6ba4d93b615fbf2b444e119e1ee5cb8a0b688a4b1f294f5567e4c15842c3d5c0afbdd6bdbfe8811686996f871d65783c89f0297bb3

Download Submit
C:\ProgramData\OZMCVSQS\Process.txt

Filesize
4KB

MD5
f449dc29c43c8ae48e4ad2e0c3e48cfc

SHA1
4bf6fc9b01c45ee25b70cdb232d97cfb508b0c48

SHA256
276ef4094d06a984993fb15117e7a5482ac9992f3f26a8b3d487af1eb0a10a13

SHA512
2fc7f1779113d51368bb8695e33d0fe8decaff9c519b126f9789c595db25ccb9e2af04eb001f4a9e240bd2f34f6d24ec01991d36a114a83833e133544f062d68

Download Submit
memory/2744-37-0x00000000066F0000-0x0000000006756000-memory.dmp

Filesize
408KB

Download
memory/2744-32-0x00000000067F0000-0x0000000006D94000-memory.dmp

Filesize
5.6MB

Download
memory/2744-31-0x00000000061A0000-0x0000000006232000-memory.dmp

Filesize
584KB

Download
memory/2744-204-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2744-22-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2744-1-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2744-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2744-234-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2744-260-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download