stormkitty | 9e25c89846782ebffd2814e14b232447b20df9105cdfbc5a662c721360f0c7cd

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hmc hotmail.4/H/hmc hotmail.exe
Size

320KB
MD5

6dd244ddd53c77f55d357aea0f3bc628
SHA1

30d55d00b20777fcc4032c04294f98f3d6ea6bce
SHA256

4a1b68b1e57efca7e9b6eb5dd42f264e6cadb86fce91eda03364bb444eeb7125
SHA512

edb001f6b6c53d7007a63332f16e7f09534cbdd8a2cbc789d9889d4dd8cdb1e1dfea967f0fc03cf1b6e31be2a24fbe08bf9b3b1c2e89631a2a6db49c281b0631
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvZ:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral15/memory/2328-1-0x0000000000D10000-0x0000000000D66000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hmc hotmail.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hmc hotmail.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hmc hotmail.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Pictures\desktop.ini	hmc hotmail.exe
File created	C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Desktop\desktop.ini	hmc hotmail.exe
File created	C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Documents\desktop.ini	hmc hotmail.exe
File created	C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Downloads\desktop.ini	hmc hotmail.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
7	freegeoip.app
18	api.ipify.org
19	api.ipify.org
20	ip-api.com
22	api.ipify.org
23	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hmc hotmail.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	hmc hotmail.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	hmc hotmail.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2328	hmc hotmail.exe
2328	hmc hotmail.exe
2328	hmc hotmail.exe
2328	hmc hotmail.exe
2328	hmc hotmail.exe
2328	hmc hotmail.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	hmc hotmail.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hmc hotmail.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hmc hotmail.exe

C:\Users\Admin\AppData\Local\Temp\hmc hotmail.4\H\hmc hotmail.exe
"C:\Users\Admin\AppData\Local\Temp\hmc hotmail.4\H\hmc hotmail.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XECUDNCD\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Desktop\OutWait.xlsx

Filesize
13KB

MD5
c9632419a6628e47117f6419434214b3

SHA1
fb6e4eab6376173a6c19fec82e894bcd9e4e3ec2

SHA256
6de07329783754d920dad4405fa307b5e9a8e8beb437794496791b5df90efc97

SHA512
081f0098bf32cc493407fee7ca0da1392c6ec029337dfae4cfb3c554accc820343dd86b8b99c94391b029d86ae29a6ece109df3b8ce9687b1d6053fac9d31203

Download Submit
C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Documents\NewInvoke.pdf

Filesize
663KB

MD5
2100f7527b4da0926d00c5279f96a110

SHA1
66f734e1408de9ed87a8e10a0da6133ad47974c5

SHA256
7db56278a4bf8e3380fb249a2a047db26f569dca26063618fe64febbb466ba1f

SHA512
006089760b4558b56085de79bae3e198569e68f33981f3f9d851caca9606ab1c1dfee1e68064f1cdd8c3de5b63a99897d074ae37ef397574c6c7129253ca7097

Download Submit
C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Documents\SearchComplete.html

Filesize
568KB

MD5
9998ee0fe96b04bb6227d78834576160

SHA1
f730de49ac9216773fdf201f75db11ec6494a8e7

SHA256
d60c0d7e6c42f56cd54af32ea1911e478243966140cd631a259d16d994152f0e

SHA512
8de209b8071a861de0c94c534c1a88938be99114bf8383704de14d6fa0d4de19e46fce1e968906570fffdcd4acf76dc98b539aa367b0809535835609ce3c667c

Download Submit
C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Pictures\CompleteRegister.bmp

Filesize
958KB

MD5
2864b92f74b10de31e06751ab82a2074

SHA1
04dc8b82d4d737e22ae590bf6be205bd81fccde7

SHA256
5a4b36caa30d5e1684bcc78a471d99f13ef52026693c46f637b5923e14f406ff

SHA512
d5a5931e3599ce9c27249dd222a649692afdccd040bc6bc0fafa42d2ce2f2a48d46b05ca23fffc39c3abf4d51d1f84b23f3754a143c3567b50052ff66a4dd87e

Download Submit
C:\Users\Admin\AppData\Roaming\XECUDNCD\FileGrabber\Pictures\TestSubmit.bmp

Filesize
542KB

MD5
857f862d22ba9435e90fbc5bf0de8729

SHA1
8980f9500b8bb4c10df8dc08fb74ddc12d3cc8b1

SHA256
855de4c442b05221190bf070d182319c813689f130b856a3b42d3e33240ac2b6

SHA512
40bdd97eb36a7a7e6a8ae4c804d6bc624778860f0c615095fbadea87c5c7a6c8496c1167e5de460a07a456cbaeeadc1fd7a52dbf46f9903a9978cc38c0b79570

Download Submit
memory/2328-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000000D10000-0x0000000000D66000-memory.dmp

Filesize
344KB

Download
memory/2328-2-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-149-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2328-150-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-173-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download