stormkitty | 1d774d2721679424669f9bef196869a5e9f2887a52b3c70add6e02759ee67555

Analysis

max time kernel
16s
max time network
15s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
15-02-2025 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

106KB
MD5

84aecc7364a86a97ac197035cfa74ba0
SHA1

df3fa8c44f632547123d50ae59d4b78da9d1a5eb
SHA256

1d774d2721679424669f9bef196869a5e9f2887a52b3c70add6e02759ee67555
SHA512

76494685c37c1c56605f5fc89467c70416899fb80e53b4f3e25f056d8dac8067eaab4da66de1cb00b17a0e86866637e663033d7b737d203ef8f695244b508331
SSDEEP

1536:U7YfZJRZk79AZn8nESiIkD2V37AUIuvQ7sG69bAdI4pxReUbp2hp6bDQx:U+RZk7OZnc4YOWQ7sR9bGpxReUbpoD

Score

10^/10

stormkitty stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1628-1-0x0000000000430000-0x0000000000450000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2856	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2464	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	build.exe
Token: SeDebugPrivilege	2464	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1612	1628	build.exe	88
PID 1628 wrote to memory of 1612	1628	build.exe	88
PID 1612 wrote to memory of 3920	1612	cmd.exe	90
PID 1612 wrote to memory of 3920	1612	cmd.exe	90
PID 1612 wrote to memory of 2464	1612	cmd.exe	91
PID 1612 wrote to memory of 2464	1612	cmd.exe	91
PID 1612 wrote to memory of 2856	1612	cmd.exe	92
PID 1612 wrote to memory of 2856	1612	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1671.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1671.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3920
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM 1628
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\system32\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1671.tmp.bat

Filesize
112B

MD5
a814d703744e30394067da432f1e1ebe

SHA1
7f6c78ec8664c7d4d966f034064cd08621fd1e2c

SHA256
56986218429a685b94d3317d61dacdc11778db264ea088ea77d09283b72c43b9

SHA512
1a39cdeaf635aea8ceb086e143432398dead6095ad5231ac723ef0fe85cb807aed6d27e654bb126c6c676a8cb2335d0eab9cd32477f82729690d7df981e4dcd2

Download Submit
memory/1628-0-0x00007FFA76F33000-0x00007FFA76F35000-memory.dmp

Filesize
8KB

Download
memory/1628-1-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/1628-2-0x00007FFA76F30000-0x00007FFA779F2000-memory.dmp

Filesize
10.8MB

Download
memory/1628-3-0x00007FFA76F33000-0x00007FFA76F35000-memory.dmp

Filesize
8KB

Download
memory/1628-4-0x00007FFA76F30000-0x00007FFA779F2000-memory.dmp

Filesize
10.8MB

Download
memory/1628-7-0x00007FFA76F30000-0x00007FFA779F2000-memory.dmp

Filesize
10.8MB

Download