stormkitty | 319d78b1aa7153267c5d2a6ecee8d7d02f489c9e8678742b410dd38931c8fea5

Analysis

max time kernel
0s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_e2e81ef1300b970259e1339287d3125c_black-basta_cobalt-strike_coinminer_satacom.exe
Size

6.0MB
MD5

e2e81ef1300b970259e1339287d3125c
SHA1

c8e9f2366df39a7c07621be96a477a3c4debab74
SHA256

319d78b1aa7153267c5d2a6ecee8d7d02f489c9e8678742b410dd38931c8fea5
SHA512

85f68096cb8048c26557733c663f8667478b2d7b8b79f30f9f4bb007b0995fdd09f0c426981526b1dfe05b487c526cef58e310e45e4fde79ac99723e4e99f0fd
SSDEEP

98304:H0zim6BOOUPsZPF27j37dl+adKRF7xzl+qAmXEUydxjGyrrdkXu/SvFJu:UziJO3k5F27j37dsacR/zl+qIU21v1k6

Score

10^/10

stormkitty credential_access discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001500000002b25f-27.dat	family_stormkitty
behavioral2/memory/3128-37-0x0000000000E20000-0x0000000000E64000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3264	chrome.exe
4456	chrome.exe
4144	chrome.exe
5680	chrome.exe
1812	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
688	oldu busefer.exe
3128	tmpnitwdyoj.exe

Loads dropped DLL 4 IoCs

pid	Process
688	oldu busefer.exe
688	oldu busefer.exe
688	oldu busefer.exe
688	oldu busefer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
2	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4948	cmd.exe
4628	netsh.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 688	2076	2025-04-18_e2e81ef1300b970259e1339287d3125c_black-basta_cobalt-strike_coinminer_satacom.exe	80
PID 2076 wrote to memory of 688	2076	2025-04-18_e2e81ef1300b970259e1339287d3125c_black-basta_cobalt-strike_coinminer_satacom.exe	80
PID 688 wrote to memory of 6012	688	oldu busefer.exe	81
PID 688 wrote to memory of 6012	688	oldu busefer.exe	81
PID 6012 wrote to memory of 3128	6012	cmd.exe	82
PID 6012 wrote to memory of 3128	6012	cmd.exe	82
PID 6012 wrote to memory of 3128	6012	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\2025-04-18_e2e81ef1300b970259e1339287d3125c_black-basta_cobalt-strike_coinminer_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_e2e81ef1300b970259e1339287d3125c_black-basta_cobalt-strike_coinminer_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\onefile_2076_133894177983011447\oldu busefer.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-18_e2e81ef1300b970259e1339287d3125c_black-basta_cobalt-strike_coinminer_satacom.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmpnitwdyoj.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\tmpnitwdyoj.exe
      C:\Users\Admin\AppData\Local\Temp\tmpnitwdyoj.exe
      4⤵
      Executes dropped EXE
      PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4948
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4416
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4628
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5624
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:5244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:4456
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb4dd4dcf8,0x7ffb4dd4dd04,0x7ffb4dd4dd10
        6⤵
        
        PID:420
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1504,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2128 /prefetch:11
        6⤵
        
        PID:2732
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2100,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2096 /prefetch:2
        6⤵
        
        PID:5288
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2420,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2576 /prefetch:13
        6⤵
        
        PID:1668
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3308,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3320 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1812
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3340,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3380 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5680
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4256,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4296 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:4144
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4748,i,14876530021631693719,13345971257417841619,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4764 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3264

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
e0481b4f953470e5a16a7aef8afe0c2a

SHA1
0f4169f0e2bef71811bea56d340105acbfbad5a2

SHA256
6841e8823f667e14fdc405720526fd5f1859680a4b096d294e105090c7e48da9

SHA512
77907ed372113cd46fafb69e192380cdb1f9484a289051332ee4f2acca9f2704ee44455f95c46a780c530424811c61e456ae2754898df63d280adab43782d875

Download Submit
C:\Users\Admin\AppData\Local\Temp\181.215.176.43\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\181.215.176.43\System\Process.txt

Filesize
4KB

MD5
a76c6adfd001a04f550b8c989ed76458

SHA1
cae5976437616cddf9fbd68dd6ac091fcb809ca7

SHA256
b327216f405e29cd492210ab4d849262c53ee788e40085201b11afa0d4767c52

SHA512
0c7759d7e2e95e5158b19478a1aebea8498863c252335d9acc1c4fe038fd5f5ff96bcd129d2a8f88e1b5f44b4015c874212df350bf12725190d5ca3bc63c09fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133894177983011447\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133894177983011447\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133894177983011447\oldu busefer.exe

Filesize
6.1MB

MD5
a254c77d5f97c4c35b91dcdd01a70904

SHA1
3a5a89db5020acf2533b1181dd078d90b36e2645

SHA256
92b50eb6ba29e19ce8854d2be8cc8d3283a112d6327abbd771438071538c06b9

SHA512
5f1c17d8e634bd4ebd1c1dead6c3d5af70996b76da06846478ad5961173cff65a14389ddd74e59aadbc9221f9f89d440cbd4eb8b25ad7526253e74ffa638efb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133894177983011447\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133894177983011447\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpnitwdyoj.exe

Filesize
245KB

MD5
e6b880d080ab45ef1067a4dbef6c4464

SHA1
375054ec68252e90c57754d26ff40c4662eb01df

SHA256
c1168aaa187fa545c492d1e85f059db8b5ded7c2b1e88f8a2959987e4134843d

SHA512
1d48d9f8faa1af31d278b382ec5cec4e44d1061f22fbe277ae17eafd74aa9986d39410c76354ad5a4fa19931143d38337f8056eea477bb12cd32b49c8356f323

Download Submit
memory/3128-40-0x00000000069B0000-0x0000000006EDC000-memory.dmp

Filesize
5.2MB

Download
memory/3128-43-0x0000000007510000-0x00000000075A2000-memory.dmp

Filesize
584KB

Download
memory/3128-42-0x0000000007400000-0x0000000007466000-memory.dmp

Filesize
408KB

Download
memory/3128-126-0x0000000007E60000-0x0000000008406000-memory.dmp

Filesize
5.6MB

Download
memory/3128-41-0x0000000006590000-0x00000000065A2000-memory.dmp

Filesize
72KB

Download
memory/3128-36-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/3128-37-0x0000000000E20000-0x0000000000E64000-memory.dmp

Filesize
272KB

Download
memory/3128-39-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/3128-38-0x00000000059F0000-0x0000000005BB2000-memory.dmp

Filesize
1.8MB

Download
memory/3128-227-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/3128-228-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/3128-245-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads