MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d
SHA3-384 hash: 5df84c05a0cefdac8e75e3099fee8a173a7abf2a5fc75d903717ed9e05d4a93c50ef7c55ff1328acfcdbaef40e57d4fd
SHA1 hash: 90203d582817c0b1e0778e53ab8ef63c2505d912
MD5 hash: 25f00b7c2ff3ae44d849863c1e47b096
humanhash: fix-tango-leopard-freddie
File name:9JFiKVm.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:491'048 bytes
First seen:2025-03-14 09:17:13 UTC
Last seen:2025-03-15 12:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c20b211897fc2b6d9fa32b006a00ef15 (10 x LummaStealer, 2 x DarkCloud, 2 x Vidar)
ssdeep 12288:7AJ0SiRi56OkEAmD5ZPfrzp+5ifMNVbVciqzSsEO:U0S496z8o6bciPst
TLSH T115A4E197726678F8E857877088654621C3737C3E4555DB0F12A43A2B3F733922CAAF26
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter KatzenTech
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
4
# of downloads :
152
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d3fbce08116ce425711834
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file in the %AppData% subdirectories
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
DNS request
Creating a file in the %temp% directory
Reading critical registry keys
Launching cmd.exe command interpreter
Searching for synchronization primitives
Launching a service
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Blocking the User Account Control
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm invalid-signature microsoft_visual_cc packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67d3f450dab9a7b6c5948306/reports/e1f0469c-9902-44ea-859c-9b66c23c5793/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b90fdfc1-df9a-4a32-8c39-d192e7533d9d
Result
Threat name:
AsyncRAT, DcRat, StormKitty, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1638269
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates HTML files with .exe extension (expired dropper behavior)
Disable UAC(promptonsecuredesktop)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Encrypted powershell cmdline option found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Windows Service Tampering
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses whoami command line tool to query computer and username
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected StormKitty Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638269 Sample: 9JFiKVm.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 88 pki-goog.l.google.com 2->88 90 c.pki.goog 2->90 92 bg.microsoft.map.fastly.net 2->92 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 12 other signatures 2->104 12 9JFiKVm.exe 1 2->12         started        15 4hkY39crKD.exe 3 2->15         started        signatures3 process4 signatures5 120 Contains functionality to inject code into remote processes 12->120 122 Writes to foreign memory regions 12->122 124 Allocates memory in foreign processes 12->124 126 Injects a PE file into a foreign processes 12->126 17 MSBuild.exe 3 12->17         started        21 conhost.exe 12->21         started        128 Antivirus detection for dropped file 15->128 130 Multi AV Scanner detection for dropped file 15->130 process6 file7 84 C:\Users\user\AppData\...\4hkY39crKD.exe, PE32 17->84 dropped 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->96 23 4hkY39crKD.exe 18 32 17->23         started        signatures8 process9 dnsIp10 94 20.206.204.9, 4449, 49691, 49697 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->94 86 C:\Users\user\AppData\...\4hkY39crKD.exe, PE32 23->86 dropped 112 Antivirus detection for dropped file 23->112 114 Multi AV Scanner detection for dropped file 23->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->116 118 5 other signatures 23->118 28 powershell.exe 1 17 23->28         started        31 powershell.exe 23->31         started        33 powershell.exe 23->33         started        file11 signatures12 process13 signatures14 132 Suspicious powershell command line found 28->132 134 Uses whoami command line tool to query computer and username 28->134 35 powershell.exe 28->35         started        38 cmd.exe 28->38         started        48 5 other processes 28->48 40 powershell.exe 31->40         started        42 cmd.exe 31->42         started        50 5 other processes 31->50 44 powershell.exe 33->44         started        46 cmd.exe 33->46         started        52 5 other processes 33->52 process15 signatures16 106 Disable Windows Defender notifications (registry) 35->106 108 Disable Windows Defender real time protection (registry) 35->108 110 Uses whoami command line tool to query computer and username 35->110 54 cmd.exe 35->54         started        60 5 other processes 35->60 62 2 other processes 38->62 56 cmd.exe 40->56         started        64 5 other processes 40->64 66 2 other processes 42->66 58 cmd.exe 44->58         started        68 5 other processes 44->68 70 2 other processes 46->70 process17 process18 72 conhost.exe 54->72         started        74 SecurityHealthSystray.exe 54->74         started        76 conhost.exe 56->76         started        78 SecurityHealthSystray.exe 56->78         started        80 conhost.exe 58->80         started        82 SecurityHealthSystray.exe 58->82         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-14 01:17:45 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bj3af3ofgcpla2bwbhy6ks6bcbjoarvswp3b6zbzoutpve25prwq._file
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty botnet:default defense_evasion discovery evasion execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250314-k9nl3a1kv6/
Behaviour
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
Asyncrat family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
StormKitty
StormKitty payload
Stormkitty family
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Malware Config
C2 Extraction:
20.206.204.9:4449
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8f6a9587-f1e0-4564-a154-5ca8b362f105
Unpacked files
SH256 hash:
0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d
MD5 hash:
25f00b7c2ff3ae44d849863c1e47b096
SHA1 hash:
90203d582817c0b1e0778e53ab8ef63c2505d912
Link:
https://www.unpac.me/results/1a193f51-2264-4992-8c1d-31d12b668c27/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a7602edc530/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe 0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3476632/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments