stormkitty | 736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de

Analysis

max time kernel
79s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PussyKiller.exe
Size

74KB
MD5

7acd7ca811c678a92d62d556cae858dc
SHA1

b05d0fd47d2d905234db53614f725e3744c93b3e
SHA256

736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de
SHA512

24fe70950fc092d9de383f5c80c70bdc4bd5e342b927e2fb495752e0036c3d2eb0547f60467ef5019a686fffd2f8057105d13dd566172f9438ffe4434748166b
SSDEEP

1536:rNtW7bvrmSbUMiuidaw6v3ZfXR6/A8Id0FWGV09auvIUxjFxtbm:rzTyXRKA8Iwg9auvIUhFxty

Score

10^/10

stormkitty persistence stealer

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4320-1-0x0000000000E50000-0x0000000000E68000-memory.dmp	disable_win_def

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4320-1-0x0000000000E50000-0x0000000000E68000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe"	PussyKiller.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	checkip.dyndns.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	PussyKiller.exe

C:\Users\Admin\AppData\Local\Temp\PussyKiller.exe
"C:\Users\Admin\AppData\Local\Temp\PussyKiller.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4320-0-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/4320-1-0x0000000000E50000-0x0000000000E68000-memory.dmp

Filesize
96KB

Download
memory/4320-2-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/4320-3-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/4320-6-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads