stormkitty | 8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-02-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Size

3.5MB
MD5

bc94fb14f22e7bdd8925899e3df74a9a
SHA1

2f9766d357e3b4769e211d0b78ddcb63c4665a9a
SHA256

8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55
SHA512

01fdc03786790f24de77ead2755b598fbf5508f416f145a65c43ebbb12e6567dd5a9cb4c583fc4dccd271cd14c2eb9a88d4f6c55591525ec884c2f138e350254
SSDEEP

49152:0I4JBgBnW/0bDlCv2smtkHbtnWYbRyU8jaQmJ2ip0goEfCTEYClGWS1bQIRMgpN4:07JF24DmIbtF69mJ2ip0EfxFlGHdRMG

Score

10^/10

stormkitty collection defense_evasion discovery spyware stealer themida trojan

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/1876-28-0x0000000000400000-0x0000000000D70000-memory.dmp	family_stormkitty
behavioral1/memory/1876-29-0x0000000000400000-0x0000000000D70000-memory.dmp	family_stormkitty
behavioral1/memory/1876-237-0x0000000000400000-0x0000000000D70000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1876-28-0x0000000000400000-0x0000000000D70000-memory.dmp	themida
behavioral1/memory/1876-29-0x0000000000400000-0x0000000000D70000-memory.dmp	themida
behavioral1/memory/1876-237-0x0000000000400000-0x0000000000D70000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	freegeoip.app
18	api.ipify.org
19	api.ipify.org
20	ip-api.com
22	api.ipify.org
23	api.ipify.org
5	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

C:\Users\Admin\AppData\Local\Temp\8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
"C:\Users\Admin\AppData\Local\Temp\8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\RenameExport.xlsx

Filesize
11KB

MD5
50273765d6ae75f3fb74a48335716301

SHA1
6de69452fcdc17e5ceb4a32dbb693a1fa46fb51f

SHA256
a7a55181464d787cd64138f588c5362a19136065ea6d8b3384a838176a88f6b0

SHA512
b0e2575e3e0ea9f6e990a94b5726649a17079e2aa92b5050363be800ec2c72711a8d23dc94ca2523a9e91876cc39b7ed916dfe6227f68391247903789c795f72

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\StopClose.html

Filesize
1.5MB

MD5
c473378928db36995de6f1b87268cc33

SHA1
58e0bbe4671f174f6d0d47efda037db8f5545e1e

SHA256
84f6bba7992f93c642b8e8580ce81427faa9546c9621720cc4d9f74975e33ea1

SHA512
f4e526f2f48e9eccc0cd09f217cdba81ea2bb8ca7498db44e947ac2cdc76e20bfa1a6ade46e19a2238b35d13d5bdf8b6eeafb1c07fc54a9b726684050ee1029b

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\BackupSkip.rtf

Filesize
423KB

MD5
4f1f5901dddb757a5edc7e4ea1ef02f0

SHA1
1f49093fa0e8cba82f11369c98e7a81a78209617

SHA256
38200a9f67304454a4742b9ce5f299b42f25ebddcdc0abd544a8e9d2b3ef0f5e

SHA512
b32ec089e30a3ff344eb37b1481e7a35112b710ac5feb856a927b74e014c9c57de886ccb80c38150914132c57a8f83a8b7303113b7f72078d75e21b1c7d962a1

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\ConvertNew.docx

Filesize
628KB

MD5
d0f64ca2a3c8a01432ff3800e02136cb

SHA1
1666fcb54691033ded4aec4c787f6b16f2c5d4ab

SHA256
c6b547a1a6185f663637b95944cb728a38404ff90edcd21409138a8178ad9b7a

SHA512
907d6d5c2d6418b5ffdbd93026ca01ebb0556c47132b5e15fea1f3f5eeeb9b0292030bef20a935b67f8d9e28fcd50133bf0b220e79ecfd4624d7343d327da7ca

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\GrantUse.docx

Filesize
1.1MB

MD5
6cbfdd61af30076f48d7c53c451b2097

SHA1
b1d218813f6149f024773e8ad971cf827f582052

SHA256
8b6bf0a00412c0dc55373c71e576646efe3fbe37de569d35ef5d6207ebf21e1e

SHA512
5fd8900ad50708d33b882eb32cfcd4c24a93c54a5536c1181b301028adf6042f5b9e9816c9a255516efbeba8d0831a88d3b5224e830425c4eedaf4ca04c4afe3

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\ConvertToPublish.docx

Filesize
348KB

MD5
dd9265bf15a94a7a6af6629aaeae0f1e

SHA1
bc112a8f83c1333e595c19018385c160e2ba69d7

SHA256
e41feabf3d6a66519c8ee66127afb594cba5c365e484e31d56ef8e375bbb1e8a

SHA512
f03649afe22a5ab5c00459a706b5d1cd6da227f2d7413ff9f04111730dbc660e553cd8ed1e52d97e0e88886d728dc8d109b97d75d1676f10d61d15319af32212

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\RepairOut.html

Filesize
333KB

MD5
2c592497d22317b70f9cccfecdcd63c1

SHA1
399954a9b990cb16c2bcf75316ae7985c7fff5e1

SHA256
9a5aa506843493bc9fb24c9e056215ede27b0f1b7a5c0a172aff0ed0639b701a

SHA512
7091efb64132be3f2e342a2a2374dec01fe6c00396820b9e185b9084a4675ea89256075484d048739185dfaeafe443a24716a7ba7c82fecb26e6c25ccb522b8f

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\ResumeSuspend.jpeg

Filesize
589KB

MD5
1b771dd56cbd37e8cfa72347e343517a

SHA1
7aad1fe5aa100f61e95f92745c925a6f61cb053a

SHA256
d1f8340908719a3592348c60c433486ec8b2c68785a10a81bd2ad7a1a4d7127e

SHA512
091c9741bafee6e8492aded1df82f8d600a1ee5c51f539e3407c7fd0a752b3c41ac0886bc61f7ed10373388bcd942a753b6e0129a71f8aefc5488d240dc3107b

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\ConfirmAssert.jpg

Filesize
466KB

MD5
bc77599517a0b1f84849ae9640c71dcb

SHA1
e60ec0fc3745667c73dedcc1963c1803a1f93326

SHA256
86e63e6e4cc39c9e5f86c1cfd5f867598a0b74b16153078becb8cf3aeef3dce2

SHA512
37ab6e5b89e138dc104b9990d42844e5262b84da5702400f1e79f7b2f50a9d6a0ef7af2ebc1ee87452c7f66972ff1a47094828f8d04e1d3f90896ded6cda2f0b

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\DebugWrite.svg

Filesize
329KB

MD5
347ddeb270b00a512ca28f1a4c1143ac

SHA1
c5196ced883d22ed611345ec42dd8725a2f11214

SHA256
3fd0cf76bc4a1a35e9afda02363e9b2e7702ea0b15461750e9dd04e4624c8bce

SHA512
e05c5fddc2bedf50cd0db457f51b5179672c24cbdba7b2b321b9e64b762bd85d8c6c007b27d2e1086a7cca97a25639868943466aa7efc7884296fc7ced2b8375

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\MeasureRename.bmp

Filesize
238KB

MD5
6cf5cc452e91d1fddfdfa2ec12aa7914

SHA1
b67fd528739a41478a856346d7d8092005776fdc

SHA256
dd1859a898ccde55a64302da2ae080bc9f9d7509d2b369b8ee3521ca50d92eb4

SHA512
7210003eb44abfb3812b410a3124687a87d83a08c7d89c8ed5269ac90088bfb860256a19ea9f07c1a05883db19bdb0be2d7bbc072ea1424b19c007717f662fe1

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Pictures\RenameExport.jpeg

Filesize
398KB

MD5
52053140c695f082d7e5e39a9b3ac14e

SHA1
2d500698b17c2dd2b8d37be2bc0d43b0877ac5a2

SHA256
2d3617473ddb2e1a3f12aa4f599c624b70d90fa11d898e1468d3312ee6688222

SHA512
37e295a259fbde69c85a7363b65035d36274a1e0593cd4517fe0a0c7870e3add20d9147de82797dafa0335b29295e02cb17bee5d2276d60cfad2d1fa5452ae61

Download Submit
memory/1876-24-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-100-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-22-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-21-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-20-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-19-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-26-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-18-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-17-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-16-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-15-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-14-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-13-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-12-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-11-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-28-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/1876-29-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/1876-30-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-99-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/1876-23-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-112-0x0000000076E94000-0x0000000076E95000-memory.dmp

Filesize
4KB

Download
memory/1876-113-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-115-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-0-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/1876-25-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-7-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-8-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-10-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-9-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-2-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-6-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-5-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-4-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-3-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-1-0x0000000076E94000-0x0000000076E95000-memory.dmp

Filesize
4KB

Download
memory/1876-235-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download
memory/1876-237-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/1876-238-0x0000000076E80000-0x0000000076F90000-memory.dmp

Filesize
1.1MB

Download