stormkitty | 1052190feea6f77f7d3bd556aceaffa1ffc1a60c5f4fb047f1660fac9a065cf4

Analysis

max time kernel
101s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe
Size

368KB
MD5

c82c31b7819148e9da1e19290c6e3aaa
SHA1

85b083cc9825782bd75029513e97f0d741c52316
SHA256

1052190feea6f77f7d3bd556aceaffa1ffc1a60c5f4fb047f1660fac9a065cf4
SHA512

25277bf0474020ee457a379e2fb7087b9699bfc4990db2e0c2ca99b0a02338f862ee4fbab593632e24f3c1d57465344d9a14032d3c5157656d6f267f420beb61
SSDEEP

6144:bsCwu+mWhJifvtNP/7YXSLB80PYjKxohR3phzaqzwtLexBopl1nMewBT:QxmIJQvPkit+asR3phzyGopl1N2T

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002b05c-4.dat	family_stormkitty
behavioral2/memory/480-13-0x0000000000B90000-0x0000000000BE6000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 1 IoCs

pid	Process
480	Silver bullet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe
Key opened	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe
Key opened	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\desktop.ini	Silver bullet.exe
File created	C:\ProgramData\WTHRYIHC\FileGrabber\Documents\desktop.ini	Silver bullet.exe
File created	C:\ProgramData\WTHRYIHC\FileGrabber\Downloads\desktop.ini	Silver bullet.exe
File created	C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\desktop.ini	Silver bullet.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
1	ip-api.com
2	api.ipify.org
3	freegeoip.app
18	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver bullet.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Silver bullet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Silver bullet.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe
480	Silver bullet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	480	Silver bullet.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 480	1056	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe	82
PID 1056 wrote to memory of 480	1056	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe	82
PID 1056 wrote to memory of 480	1056	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Silver bullet.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Silver bullet.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:480

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WTHRYIHC\Browsers\Firefox\Bookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\ApproveConnect.pdf

Filesize
189KB

MD5
2dbeb397112fee395d82cf51f821b3da

SHA1
28ab488e34337371cf7700171bbb4f507be492b6

SHA256
1baba47510ac4403bcca1034e041b20c07cc30c460bdbc18536a18127e5dd2a7

SHA512
96b79a27458ac15308653a6beeb56cdd38eb028ec8b754cccb8f61c4093da3f583f6b5d9d231659c7437d9fd99dfcc968e397a87fb093000decbb51e4518760c

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\ConvertSkip.jpeg

Filesize
215KB

MD5
5b39d3156ff577c21e3634d27b215a95

SHA1
541ca891fa15221642afc4c98013a2c5694a3720

SHA256
150e758c0ae9653c2a0b39007a8fa08b31b71378233e8e916f36818d69c725ce

SHA512
7480a106681903f1ada56b9aa6198a1bf6b2374ca5093ecd66c8fe0f26b85225f96779f30c47f1e5e763f6db11a90fd012d795920b20fcdf7119838c86541f30

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\GroupRestore.rtf

Filesize
359KB

MD5
5f5b2c81d474d03f839826676ca3ca72

SHA1
165c774e617543284d0c0493daab5c0f74316f75

SHA256
c32cc4c023b356a1b1f15607d5e179e9e81aa7e7e0a9f06c432f5fbddd2d1b5b

SHA512
8b075d99b44ef311b4f379eb2789073f220f60f83e8c12f60589ff3cf8934bb742ccd04c87dc8ed9fa71906a5fb7663a15bd924d4f6c2f90b5ae77a48304a029

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\RestartCopy.png

Filesize
222KB

MD5
1e05947f8cd654ccef85cbdd2a38d037

SHA1
2e5ab2c3706b53fbac5a4064667565b8859e4e01

SHA256
39f8c1ac844b00ac64e7ae41feb53cd71ef481403811009b0163383bf19cb7f8

SHA512
c5f49eaf1af1453517511c3cd5a62db5d683c82508d977f196dae45ec12e76c554d0e3f7ee297639b2300e5e1a5f79a5f186af39f9892e292ce25b35b2f46dd5

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\StepGrant.ini

Filesize
137KB

MD5
aeacd292cab9adfbb90722f45f2339c7

SHA1
42883ec683fdea04443fa08572972e46684e2380

SHA256
783e29ffc959b22b514101a9d85753060642d24004114cb24b31cd012ff6109a

SHA512
694fc531962c57642b4c560f94ab1334b083f8c6902aa0871cc979d41b396e90edab016b5406dcbf7e54833fd2f5841c145845aed0a71ef8a449fb96cc03b208

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Desktop\UseSkip.rtf

Filesize
176KB

MD5
2f3ba4df14128130e90fbe0da36a93f5

SHA1
7707192b12954ab959acffb44dd3e7c3595651ed

SHA256
d2741087b7b58a07bd590ffd8e578c1c56acd2f54f8fcfb59c599a50be74dfb1

SHA512
345053e0b8edd40cc42f9a94a328697f8a606e19746a41cd401e67aa3a6968f8400f5d9601d93ebd2839deaf5b320f92c844a85027f79c3dd53b869d0bd1b067

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Documents\EnterUnlock.docx

Filesize
640KB

MD5
0449d8afa0ee4fb14198961a9e45e2ce

SHA1
b42c2e59c9df04585a800df07e73c32c3b0f82a2

SHA256
f62ef01c27295943e6ede37551e4cf25859e56ac886cb382f423140addd52d73

SHA512
02daf21077e97852cda976f84a17d0ae20e8a81576e6ed4a0f7a04072c72579c555b82917674475f71c644dea62b2e288d83392ac3585f6603321a4e332c433f

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Documents\RenameConvertFrom.doc

Filesize
1.4MB

MD5
4232c07110d20170fea112eb7fff8d72

SHA1
eaa1499ffa484b71acf552821c5277678a0f02fe

SHA256
fd6f818b54722035566f73b1741ae91c6dea4c298369861ab91f453ab1d9e205

SHA512
3b5a9badf742c89f7cc0224debc417c83fe052ba56f50c0f8dee07812b9e7e9162d6e782bc402207f2479201374436265e388407256c0699405d7826f9040620

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Downloads\NewConnect.bmp

Filesize
243KB

MD5
55ae283b2bfdc019e8403b62e6ee2da9

SHA1
e7351c0520d6f7c9f13b09b08eab47e58078ea97

SHA256
ab0566cee98549bde2144483302d6919ae40bbca1391689512d7f306524c4321

SHA512
4f520459bf0d399d857a2aed47565de3f62e7a7111b00ee2cad53285f1ab8a10f3741b16f40ba62aaf35289a3866e793b502abbab169678e2f526408cdfb19f8

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Downloads\ResetRepair.png

Filesize
480KB

MD5
c552c2fe975794269fce5a6ee1d24575

SHA1
711408ccdd248974d28a8b73fc8bc994c2c100a1

SHA256
c2ea2d8e7c707eb3a96c48a30a9bac7b01a080486f12ececa5f1a0b3bd317798

SHA512
a7b6bf28d9eea8745d9f5afa86e3a5456d5988d75c70824d7877646c402a5402d1e3ce18865653ce78924d004235c3268168a2b39d8311e4593b1201e69797cb

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Downloads\RestartAssert.js

Filesize
388KB

MD5
8a0fac1e9e0640060011265b7fd62c0d

SHA1
ba52c9503d0b6405e97cc598d6a0deec4d9865c3

SHA256
4742a37b752400cda74a8b0403d492f0acc81647b63d5920ac53a4b13cadb7b2

SHA512
ac6cc5f5796d8051c2bc3f968ee1c1de99926a98295986cf501e4998b0a49c621fe2231062f92c2258e20d78accc3ea8034afd67b2530e0feec3dadf34297652

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Downloads\StartImport.txt

Filesize
612KB

MD5
d747d21e8d3f4d82d8891bfaa5e1017c

SHA1
1cdfa826c65450b070b4b18e1241e4ea3cb9869e

SHA256
5623410a1764bc7afd804dccc5ac55ac5b9d03b8280d22611f2f47ce6ce10465

SHA512
9fe8779dbbf2dc7029becb91452fdf34afd26e36a85cefd48e99250bbf9337d097752f5d3a40c6e1616ee59650eb5b3aea1f00e9d4808fcc6a5fb364d558d944

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\ExitBlock.svg

Filesize
294KB

MD5
4ff307e0cf5d09a19f3783d64c0348d7

SHA1
3d983731fae0832b4b490a8d5f4fb4a7fd7e4cc4

SHA256
b915311c5b74cbc9f2d5d16207001f156bd550dec23ffa6dae18f53edf0e1603

SHA512
d2b90c280d4b868330752ef77e9ee42972c7c10e0c9794df52ed79226fcd9de18c10756812c224792d3e9837f7b61a33a362127eab8ada8dcddaf5481b455d63

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\GetStep.png

Filesize
140KB

MD5
bc171212d1ecfb32f346183010d966d8

SHA1
d46acc48684be65a95377a9a74b79733efef82d5

SHA256
c3fea5c5f21803cf0dc59a2b4c8ffc581aa39e151d68b09ea4ac6592d9469601

SHA512
9bd66bc79c5d6a403b8d9eaf6c42d63a02de1eefa62ee9be0f3aced21770ab426b2465e3142d9d1b8ab379cdbbffcc0ab6487212c6864eff62eb745bf55ba26e

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\InvokeClose.svg

Filesize
308KB

MD5
bf18434480a47b57158ac9be3e350c92

SHA1
72df6d1090f4555fa4ac51f91b6ca5fd9d6df2f9

SHA256
2551d0c0a6d83cc2511d9f7ff5bbbb9ca9895bf5d8b7646b447c585ad0606c97

SHA512
329d60a1ef2f78b5381102c2039655ead137afc0f496d00f3fe51b0e35dac0ce5c4f1b286f1b251f40a4de0545eb30d4a322fc26ca0448349fde141edbe7e676

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\MergeCompress.bmp

Filesize
210KB

MD5
acf6db700aa2158403c5cb27e2581e56

SHA1
557d95190c1805018abe9f68852d76a5ba28f25c

SHA256
7030cad806f346194379b06c1c7b743c764c127bd45c2f533b97159b95903a2a

SHA512
ab7e289a2df808a59ee59a2a79e8324f70fe0720ed899a2b48b57b0f4220bd8853587a9c8501671517aafe4e9a49d750880ef89c942e7b210ed3713b7b2daec8

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\OutReset.jpg

Filesize
175KB

MD5
a10d631b2a75c9ea0aa9abf44bfaef8c

SHA1
d3cae4d59228cc9acb2f1d8b4d14bad55a08231b

SHA256
064842653a9769c3ab8a24b0c6fcb7b69199ee4c7275df107b93fb52071e6be8

SHA512
18be012890c499ef5d65bf15af315fb788955f77b657f045801c55eac0e2e284093e545965a4cb4559db5695acad94a51f3b22f909de9908de903e194e796b77

Download Submit
C:\ProgramData\WTHRYIHC\FileGrabber\Pictures\PingLock.jpg

Filesize
126KB

MD5
34dd7595976d8749292524e752517b57

SHA1
150452ffb9521e19a4d48e261cc912f4e56963b2

SHA256
acb89fdf43cb086e04985967a755603b28adad62f4b9461b9c2dc3e21ea2395a

SHA512
cc250d4fe8f5e9ec9ab43266b1773bb0d61d0d6b0866094d2285e4580e1b1a4c5c8dae258b5221ec6e822153753d5f396e5bab6f92360e798b5e69aa6ff54b44

Download Submit
C:\ProgramData\WTHRYIHC\Process.txt

Filesize
4KB

MD5
45612b8be5ebda11ad2525e4eadcf31e

SHA1
2f81ad46d0c80cbde2fe3baa1a0cf384c7e13961

SHA256
c058367f841be9bbf8eee2b59e236009126544e9b4a7768d7c8e11d2d4379923

SHA512
bab7a240cd7ace7be626a5fe929e606a0762e28bde3bbbd59ce65627355a744e76ff6329d12e5bfe5b8bbbe6571d6b25b329247a9e0ed072ceb8b5400192c213

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Silver bullet.exe

Filesize
320KB

MD5
d970075839354b506a8b43a64b98fd1b

SHA1
d4a2477547fab0f77931d27a3a5cc6fbf636413f

SHA256
7879fab30a835c0cb17809240c2a9ae2eedda668b6049fd43c2952760ad4637d

SHA512
c687e42bec8fa32c78d266ffb1919261b4bc3cba1691464b95eca9e879f6001aea662829f49d01fd3d3e438ccc2287257fdad1af5ab3221df82bfc617dbfa5e7

Download Submit
memory/480-202-0x0000000072F6E000-0x0000000072F6F000-memory.dmp

Filesize
4KB

Download
memory/480-12-0x0000000072F6E000-0x0000000072F6F000-memory.dmp

Filesize
4KB

Download
memory/480-13-0x0000000000B90000-0x0000000000BE6000-memory.dmp

Filesize
344KB

Download
memory/480-14-0x0000000072F60000-0x0000000073711000-memory.dmp

Filesize
7.7MB

Download
memory/480-52-0x00000000069D0000-0x0000000006A62000-memory.dmp

Filesize
584KB

Download
memory/480-53-0x0000000007020000-0x00000000075C6000-memory.dmp

Filesize
5.6MB

Download
memory/480-55-0x0000000006E20000-0x0000000006E86000-memory.dmp

Filesize
408KB

Download
memory/480-288-0x0000000072F60000-0x0000000073711000-memory.dmp

Filesize
7.7MB

Download
memory/480-324-0x0000000072F60000-0x0000000073711000-memory.dmp

Filesize
7.7MB

Download