MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8
SHA3-384 hash: 29034adc7582d7fff99940496ec5a4e99954e5e518d26981a24f43880fadef97b246ce94bf041144d81f33a346ecd50a
SHA1 hash: 7e190c3185d1be75d7d09b76076f912fd19118a0
MD5 hash: 901065aafa6934c9ef544f46a78f2832
humanhash: carolina-music-may-carolina
File name:PAYMENT-COPYaosi.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:5'529'088 bytes
First seen:2024-01-12 13:13:51 UTC
Last seen:2024-01-12 15:17:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0751433fb799ff99dbf59b2d0c85d83d (4 x StormKitty, 3 x AgentTesla, 2 x Stealc)
ssdeep 49152:VbpDdWsKJkV1gzdCQXXxmcQsDhKmuFo/4gqvYEyOezjC89i9ruA0iHxtVXrOx+al:y4kpqvYEyFFA0A5Xax/88
Threatray 31 similar samples on MalwareBazaar
TLSH T1EC46AE15B7D505D8E87BC630CA2A8732E6B1B8590735838F0538D35B1E37B958F7B22A
TrID 60.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon 70f0f2ede2d27860 (1 x StormKitty, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8.zip
Verdict:
No threats detected
Analysis date:
2024-01-12 13:17:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b877360e-f9e7-40eb-9207-44549289d8a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.11270.9529.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Creating a file in the %temp% directory
Creating a window
Running batch commands
Launching the process to change network settings
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1cc0bdf-80df-4bfb-ba1a-17b03c63d989
Result
Threat name:
AsyncRAT, StormKitty, WorldWind Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1373733
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected WorldWind Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1373733 Sample: PAYMENT-COPYaosi.exe Startdate: 12/01/2024 Architecture: WINDOWS Score: 100 44 api.telegram.org 2->44 46 68.227.1.0.in-addr.arpa 2->46 48 2 other IPs or domains 2->48 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 68 11 other signatures 2->68 9 PAYMENT-COPYaosi.exe 2->9         started        signatures3 66 Uses the Telegram API (likely for C&C communication) 44->66 process4 signatures5 70 Found many strings related to Crypto-Wallets (likely being stolen) 9->70 72 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->72 74 Writes to foreign memory regions 9->74 76 2 other signatures 9->76 12 jsc.exe 15 160 9->12         started        process6 dnsIp7 50 127.0.0.1 unknown unknown 12->50 52 api.telegram.org 149.154.167.220, 443, 49708, 49709 TELEGRAMRU United Kingdom 12->52 54 2 other IPs or domains 12->54 36 C:\Users\user\AppData\...\AIXACVYBSB.xlsx, ASCII 12->36 dropped 38 C:\Users\user\AppData\...\TQDGENUHWP.docx, ASCII 12->38 dropped 40 C:\Users\user\AppData\...40HPKIZUUSG.png, ASCII 12->40 dropped 42 2 other malicious files 12->42 dropped 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->78 80 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->80 82 Tries to harvest and steal browser information (history, passwords, etc) 12->82 84 2 other signatures 12->84 17 cmd.exe 1 12->17         started        20 cmd.exe 1 12->20         started        file8 signatures9 process10 signatures11 56 Uses netsh to modify the Windows network and firewall settings 17->56 58 Tries to harvest and steal WLAN passwords 17->58 22 netsh.exe 2 17->22         started        24 conhost.exe 17->24         started        26 findstr.exe 1 17->26         started        28 chcp.com 1 17->28         started        30 netsh.exe 2 20->30         started        32 conhost.exe 20->32         started        34 chcp.com 1 20->34         started        process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-11 12:00:15 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brecuorfcdhy6mr4lrgzbf4fbpu6o7yjz4ldwhpcyiraz6wtx24a._file
Verdict:
malicious
Similar samples:
0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8
StormKitty
4520e200bd01f6ffd786172f0b6d482510e8367055cf7082ab455b61554a0e32
StormKitty
48b0afb9f404d55c311994ab4da41e3aa6dacd23a1b8e0de1addfe6f9fea4d11
StormKitty
5982ee2f9702075b4dbc970ed9d8e142830ea74e35554c9e46ebacf2d42702c9
StormKitty
5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a
StormKitty
e4972f23b390d71961d55dcea84503fdfb26a8c285858fe66937bf54aac55a88
StormKitty
eab4a2382263fbfedbddaed6cd19627ba3d5d9f5db8060a2a1adc2b1c4ca7125
StormKitty
fc05a007f7b6a6e4a69f15f1a31822957f3aae14a81e01e7c6eb9ceac0835a3b
StormKitty
+ 21 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty botnet:default rat stealer
Link:
https://tria.ge/reports/240112-qgnn9ahda5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Async RAT payload
AsyncRat
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6923682581:AAFwzssZK9YLzEpsTQfaL55LeBIoZ33b630/sendMessage?chat_id=6499200163
Unpacked files
SH256 hash:
0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8
MD5 hash:
901065aafa6934c9ef544f46a78f2832
SHA1 hash:
7e190c3185d1be75d7d09b76076f912fd19118a0
Link:
https://www.unpac.me/results/bcf12b48-679a-40ca-bce9-1a7f681bd0f6/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c482a3a2510/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments