stormkitty | d3cf46a48919b2e21163ec3a38b3212eb2a130c0c58e9797590d0ef1767583d8

Analysis

max time kernel
103s
max time network
109s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

40KB
MD5

766b531d3ea87df07f4a30478e0b6fea
SHA1

3a723efa352eff3421bb1a6fbee9aac3c68a56bd
SHA256

d3cf46a48919b2e21163ec3a38b3212eb2a130c0c58e9797590d0ef1767583d8
SHA512

a8ba8f652cf030daad7ef4971b41253cfe57717b70c4aeed0ce1689a73d6d92562185e9b9aa672f6da1ce4ab476b152d08026060ed41d1b97f19044c135b4742
SSDEEP

384:gWSeROQvTrHR5szYa/Yw2MX1nHmFrooooooooooboooooooooLzyCWS/h4:xzjTDHsz/YSNyeyD04

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4456-1-0x00000000009A0000-0x00000000009AE000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5044	4456	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3840	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1124
  2⤵
  - Program crash
  PID:5044

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 4456
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
24KB

MD5
8c32b2c79e3be9272c13f50d28d2cea3

SHA1
a71044e003ae532b23d6fdac3ae73c384882eb91

SHA256
a3ae191a7f895c0cfcfc56dd439091378f6619e1a7bfa03e810b3f20f96d540e

SHA512
14489f5e5f62f0fa1f03feafc98e9e2e21ecff05b6811a906bdbfd3b8e70598f4aac61f9699069ba10659f4ba479cba1ef3712ee5ddea6486ccdd284ab03bd1a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
24KB

MD5
619875482330c9ef5f27f0d12bac57fa

SHA1
9dec826075eeddf671d860e82ffd2360d6e5140c

SHA256
7d46f800f6d7244a121b1d7c5bc988ccf696a8df9825b71be0e7ced76a63db43

SHA512
60893cae569d97f9a30887027f8e0438914141c67ed290a4d543882b57948c497d89ee8a02a93eb45997f215c727d830445b537c02668e8bb3ae21e0972f5877

Download Submit
memory/4456-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/4456-1-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/4456-2-0x0000000074470000-0x0000000074C21000-memory.dmp

Filesize
7.7MB

Download
memory/4456-3-0x0000000005AD0000-0x0000000006076000-memory.dmp

Filesize
5.6MB

Download
memory/4456-4-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/4456-5-0x0000000074470000-0x0000000074C21000-memory.dmp

Filesize
7.7MB

Download
memory/4456-25-0x0000000074470000-0x0000000074C21000-memory.dmp

Filesize
7.7MB

Download