stormkitty | 1052190feea6f77f7d3bd556aceaffa1ffc1a60c5f4fb047f1660fac9a065cf4

Analysis

max time kernel
103s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe
Size

368KB
MD5

c82c31b7819148e9da1e19290c6e3aaa
SHA1

85b083cc9825782bd75029513e97f0d741c52316
SHA256

1052190feea6f77f7d3bd556aceaffa1ffc1a60c5f4fb047f1660fac9a065cf4
SHA512

25277bf0474020ee457a379e2fb7087b9699bfc4990db2e0c2ca99b0a02338f862ee4fbab593632e24f3c1d57465344d9a14032d3c5157656d6f267f420beb61
SSDEEP

6144:bsCwu+mWhJifvtNP/7YXSLB80PYjKxohR3phzaqzwtLexBopl1nMewBT:QxmIJQvPkit+asR3phzyGopl1N2T

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000001e69e-4.dat	family_stormkitty
behavioral1/memory/1064-13-0x0000000000310000-0x0000000000366000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe

Executes dropped EXE 1 IoCs

pid	Process
1064	Silver bullet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Desktop\desktop.ini	Silver bullet.exe
File created	C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Downloads\desktop.ini	Silver bullet.exe
File created	C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Pictures\desktop.ini	Silver bullet.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com
8	freegeoip.app
12	freegeoip.app
35	api.ipify.org
36	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver bullet.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Silver bullet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Silver bullet.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe
1064	Silver bullet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	Silver bullet.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1064	1028	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe	86
PID 1028 wrote to memory of 1064	1028	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe	86
PID 1028 wrote to memory of 1064	1028	2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Silver bullet.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_c82c31b7819148e9da1e19290c6e3aaa_black-basta_elex_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Silver bullet.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Silver bullet.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1064

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Silver bullet.exe

Filesize
320KB

MD5
d970075839354b506a8b43a64b98fd1b

SHA1
d4a2477547fab0f77931d27a3a5cc6fbf636413f

SHA256
7879fab30a835c0cb17809240c2a9ae2eedda668b6049fd43c2952760ad4637d

SHA512
c687e42bec8fa32c78d266ffb1919261b4bc3cba1691464b95eca9e879f6001aea662829f49d01fd3d3e438ccc2287257fdad1af5ab3221df82bfc617dbfa5e7

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\Browsers\Firefox\Bookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Desktop\ProtectDisconnect.bmp

Filesize
295KB

MD5
c5af067b8d334830e11d01b552c5eda9

SHA1
074ef581d0d08f60d94e07384f30b68a819db01c

SHA256
793ce58679f66cbee5f09acff75b1627091e744c5b3884e947329f0d9ff0c22f

SHA512
2eb7b6c6ef731ed78ea0541fc564386fa1f9f6b7fbf56bacd749fd0f1f08e787bd5337e80956f8d8e7b8413f985089e484e35f1ed64efedefb8df4c6f0255ad7

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Desktop\RequestRename.png

Filesize
681KB

MD5
9bfb488e7691ce32a34450eb3d686747

SHA1
dc4214d1d8f395a8a45d525dc3f63d53b0a90220

SHA256
2fa82aab4f4abc114baafe97ffe510d3c79afcfe7f5473771b388642818a5653

SHA512
38fc4b423b2a2127d42c3589d4219abb5f9f569b2515f56da187b05671a23a1f4b921362ded3a127db2859f195f377b6ca1f4e196e7c9ad7729e8e90c723f7aa

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Desktop\RestoreRestart.bmp

Filesize
840KB

MD5
d2c79792ea8f93fc0e35b270dc85f0c3

SHA1
af59079861940a67828aea08c0e0415c48964f71

SHA256
3a7828206edc3810dce42370e9dd8ef18271c738257507b0130b9ed25527530d

SHA512
053ccfb03d72d35d22e95e47f45b112bd106a6142e62b918e8db6d2e2904e54c112b14717baf0569ecfebd628aa1261ccc779c76539fa0d5e88ca0537577a05a

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Documents\ConfirmSubmit.txt

Filesize
1.3MB

MD5
2514ece4ccabe6ed820deb28ecca5586

SHA1
55fe47b4d816f35703e8476ccad23fa41ffcb67f

SHA256
1b698157c39bd5576fe61ba15e4942301e129be8c45439de8f9ac280fcc2b53e

SHA512
35dc0ba8cfaa751c769766eb679882871e90a405af422b65d6ce625cc89814875958263a68f4c83144d89299e399d7094edf8530ead8fadc47f7ba111c99aee8

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Downloads\GrantUndo.js

Filesize
247KB

MD5
8efaa07f9847309bf405d5bbce545524

SHA1
602af9a9a9aa027fefa2bd3b8636509a97ca7ddd

SHA256
79baca31f106eb71d8982123d9bfca803d6a8e9e3f8389003b5f9582750548ce

SHA512
8744365d582c0f609016c1adc41dcb7329c21dc7206cd2ec1c23a1ec88be5f2ed5d08ec40549f129f30dfa31137b676a712c70064f33ec0b0ae84d414d6db846

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Downloads\InstallEnable.png

Filesize
408KB

MD5
eb4b4663ee2f344f141c661a0e30466a

SHA1
c2084b26d3f2ffcb897558d8b8725c328a16ddb5

SHA256
7a44eeab8663813732adc4e3fdc37f4df0d5ae7c7bcf072fb621e39331de17b1

SHA512
4711f6b08b3e34998d8dece8fdc918a5531fd4facd36a718d32139f1453796f107b65d71a133c1f1e6c71d3edf00a782b431a351179cdc22099840314008738e

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Downloads\UninstallInitialize.docx

Filesize
318KB

MD5
63d7228855aead2cdf0e7ae22ccb38c5

SHA1
b920eb7333345628ccf4df9699719f36b248941b

SHA256
128a3a0bd0035ca5a0a4820e1c923b980dee3a3c2b16a3af6694302aebc6f1c2

SHA512
45f9dfe834324906fbdf64fc2556216be589d8c213f7d4131553e912191c853deb61c64b465a199ce71a3c97be7940e327ccd7b395a8511480029a135406d7f6

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\FileGrabber\Pictures\GetSend.svg

Filesize
2.6MB

MD5
cee409ceceee14f5951665b692a114a3

SHA1
738496c71735d748a00e06a3ad5eb6bdb7128e7c

SHA256
c7669793949f23fea9aba988b570dc5677bfa301a2d8d497549d6cfbe9cc1a6d

SHA512
e56755a653a03363bd7d39465e322ec978e9673370fb3ca30f06010c6d4c2a6079b27ab890892dbf3bd3d3d8f3c86c37b529e00a2c13468a956a09c253bc7778

Download Submit
C:\Users\Admin\AppData\Roaming\ELDOIJJI\Process.txt

Filesize
4KB

MD5
9613a138fdaf3ac11030ba88cada3177

SHA1
38e4bca310ce90e99124b66b316ce77e0fc109c1

SHA256
dbba3c55802cefc8f95fd3cdff7f425f811719fb3112513850245d5e6e985582

SHA512
2df3b2923a015d224b1f3af313f6d324242eecf3900c9c5cc917a8bc0690322849e57c4440f92d5c8a0782c76ff42937d82091081df6f2abee01830e8a988895

Download Submit
memory/1064-164-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

Filesize
4KB

Download
memory/1064-63-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/1064-58-0x0000000006440000-0x00000000069E4000-memory.dmp

Filesize
5.6MB

Download
memory/1064-57-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/1064-14-0x0000000072DB0000-0x0000000073560000-memory.dmp

Filesize
7.7MB

Download
memory/1064-13-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/1064-12-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

Filesize
4KB

Download
memory/1064-231-0x0000000072DB0000-0x0000000073560000-memory.dmp

Filesize
7.7MB

Download
memory/1064-259-0x0000000072DB0000-0x0000000073560000-memory.dmp

Filesize
7.7MB

Download