MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11d64db2c2dd610cd7ccdd45f9a985a23cfd8ae488b98ec809c6e4c98aef7b68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11d64db2c2dd610cd7ccdd45f9a985a23cfd8ae488b98ec809c6e4c98aef7b68
SHA3-384 hash: 80aab37afad35f29fb416820d1506067de8f3d2e1519c403d71ed9888d47a91b590078ae5ec68ed1127e7cd0e5dc8a36
SHA1 hash: 5075d132fa62466cf91a1776083787cab436a0fc
MD5 hash: 7a4e0ebd1451bb30a7268f0a08c32203
humanhash: florida-white-table-mountain
File name:detalle_transferencia_2022-12-13.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:681'504 bytes
First seen:2022-12-13 09:43:08 UTC
Last seen:2022-12-13 11:32:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:9xqPrJapZe3pJzpgabWvRF41FAGkZyGxXf0ClJLrk:9ETJapw53AECPXf0ClNrk
Threatray 1'375 similar samples on MalwareBazaar
TLSH T168E412423A844352D92664B482DF563047F3BDA3AAF2D6DA3E4C53DC8F503E29DA8749
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter lowmal3
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
detalle_transferencia_2022-12-13.exe
Verdict:
Malicious activity
Analysis date:
2022-12-13 09:44:42 UTC
Tags:
evasion quasar
Link:
https://app.any.run/tasks/970e4923-3622-4966-8512-a8ca60e42f68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/345782/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1293.3648.16860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/639849639a505ad9423f784c/reports/4e8e5075-d3d7-4e22-a8a9-21bb7e76d63b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c8f4bb6-662f-4729-b44e-0cc99b8ce202
Result
Threat name:
BluStealer, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133299
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Detected potential unwanted application
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected BluStealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11d64db2c2dd610cd7ccdd45f9a985a23cfd8ae488b98ec809c6e4c98aef7b68/
Threat name:
ByteCode-MSIL.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 09:44:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
5
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chle3mwc3vqqzv6m3vc7tkmfui6p3cxerc4y5sajy3smtcxppnua._file
Verdict:
malicious
Similar samples:
35e255221666b02df8ef997bdaa57467578250389d31ec045a73b584a4712f52
StormKitty
50e8d5699c036091cd4866bd3892bc89c655999e3fc96194f686587c638d6336
StormKitty
559e053e4acfbcb073e2f2614d733a4ef73f778147a2c58f881a46a8bd3a88f8
StormKitty
57bb2cd71368b27810a445aaf9f5260d29e636c5a8d7e5e101bca25e924a1f18
StormKitty
670906ad0855a2402291c290dc16f18343be80a00cb7f164463475b2fbf132b5
StormKitty
6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3
StormKitty
8853cb89f4e416cfb1651fbcadec1b1bef2f4da101ea389de3f08a42f03ed013
StormKitty
b224d71e1f83abba5f7502d2450d4866b1e75286b738ee9fe204608a7dc38b38
StormKitty
e15a30747a6b21794d76525b32ee3c32521bb917839ae3b2519f4e174cfe107f
StormKitty
f7b0405a91931c6c0d4bb544875a6ca6c4e1b867b5df82ebd4b9a9fddeeba71b
StormKitty
+ 1'365 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection spyware stealer
Link:
https://tria.ge/reports/221213-lqgvvahb2w/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4cf5f0ef-3fdc-4dca-97e5-676c501ebd04
Unpacked files
SH256 hash:
11d64db2c2dd610cd7ccdd45f9a985a23cfd8ae488b98ec809c6e4c98aef7b68
MD5 hash:
7a4e0ebd1451bb30a7268f0a08c32203
SHA1 hash:
5075d132fa62466cf91a1776083787cab436a0fc
Link:
https://www.unpac.me/results/71e3ac5a-fbca-449d-bd7f-48cd64f64250/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11d64db2c2dd610cd7ccdd45f9a985a23cfd8ae488b98ec809c6e4c98aef7b68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StormKitty

Executable exe 11d64db2c2dd610cd7ccdd45f9a985a23cfd8ae488b98ec809c6e4c98aef7b68

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/345782/

Comments