MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30
SHA3-384 hash: f29fd69f39a95d817e7cc344ee72d6d85a7790ed5a6dbbbc62e01ac0115ddbb16f00b79ee1d9886a32ec45713bfc0dd2
SHA1 hash: 180674d140f62991f24b150189cc7c1d2e5b02b6
MD5 hash: 50d7426fb6f384e50af7f80826f47c50
humanhash: quiet-cup-bulldog-east
File name:090890090.exe
Download: download sample
File size:903'508 bytes
First seen:2021-04-30 07:54:31 UTC
Last seen:2021-04-30 09:03:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 12288:aGJnFu6hwS2OcnuaxJsAoP7Or+SjbjaQW+jqz8/o76Vi40vVCgH4mUxJNs6c7Cm8:aGJVNc1doParnLW+qkVi40QgH41xIdT6
Threatray 4'776 similar samples on MalwareBazaar
TLSH 921523397D28C876DBE602723A5ABC66E7FBD60347705E8BF3C1954EB0472C2C809592
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147264/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.30689.1719.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a window
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704255
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401052 Sample: 090890090.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Yara detected StormKitty Stealer 2->60 62 2 other signatures 2->62 7 shasyrevqixs.exe 17 2->7         started        11 090890090.exe 1 21 2->11         started        13 shasyrevqixs.exe 17 2->13         started        process3 file4 34 C:\Users\user\AppData\Local\Temp\...\7rc8.dll, PE32 7->34 dropped 74 Multi AV Scanner detection for dropped file 7->74 76 Detected unpacking (changes PE section rights) 7->76 78 Detected unpacking (overwrites its own PE header) 7->78 80 Machine Learning detection for dropped file 7->80 15 shasyrevqixs.exe 7->15         started        36 C:\Users\user\AppData\...\shasyrevqixs.exe, PE32 11->36 dropped 38 C:\Users\user\AppData\Local\Temp\...\7rc8.dll, PE32 11->38 dropped 82 Maps a DLL or memory area into another process 11->82 18 090890090.exe 1 11->18         started        40 C:\Users\user\AppData\Local\Temp\...\7rc8.dll, PE32 13->40 dropped 20 shasyrevqixs.exe 13->20         started        signatures5 process6 signatures7 84 Sample uses process hollowing technique 15->84 86 Installs a global keyboard hook 15->86 22 AppLaunch.exe 15->22         started        26 AppLaunch.exe 2 15->26         started        28 conhost.exe 15->28         started        30 AppLaunch.exe 15 3 18->30         started        32 AppLaunch.exe 2 18->32         started        process8 dnsIp9 42 15.55.7.0.in-addr.arpa 22->42 64 Tries to steal Mail credentials (via file access) 22->64 66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 44 15.55.7.0.in-addr.arpa 26->44 46 192.168.2.1 unknown unknown 26->46 48 15.55.7.0.in-addr.arpa 30->48 54 2 other IPs or domains 30->54 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->68 70 May check the online IP address of the machine 30->70 72 Tries to steal Instant Messenger accounts or passwords 30->72 50 15.55.7.0.in-addr.arpa 32->50 52 104.22.18.188, 49752, 80 CLOUDFLARENETUS United States 32->52 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-30 07:55:20 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eghejelneqozsun4jcbez5amxvxxpgfx4vgw7226yxp3v7zcfmya._file
Verdict:
unknown
Similar samples:
222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f
8e122a7da836e05e954001c5f6e2209aa5e0835ea7af0e08e324e538a075f364
aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
d171f74f5d0cb8a469db9262869b3798ae0ed18098b4017207ff7f6e69fcd07a
da3f2156d9c0809395cf299e9818a43849a62226ab3b95fcdc0abd4eda78b3a6
e6678504db885f9146a19df19cf75d3db24776c247c3eabca6f6160f57f5d68e
f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
fc8981fbaba568d24617445293a465a341cb2ac3055e8cd29c5bad2ee1f6b952
+ 4'766 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty persistence spyware stealer
Link:
https://tria.ge/reports/210430-d8wdd15w4a/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
StormKitty
StormKitty Payload
Unpacked files
SH256 hash:
3831c26f76cc9b4a80690429ca8eb75e3ce4dd4b8dae342963567d526cfea04a
MD5 hash:
c8bbca4a5c2b38bfd7263650c0e5263a
SHA1 hash:
9d5f2bbcc10dd2bcba50130c169b7fc7ef9c298a
Link:
https://www.unpac.me/results/772abdfa-727f-4c31-b175-f30e40f02091/
SH256 hash:
218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30
MD5 hash:
50d7426fb6f384e50af7f80826f47c50
SHA1 hash:
180674d140f62991f24b150189cc7c1d2e5b02b6
Link:
https://www.unpac.me/results/772abdfa-727f-4c31-b175-f30e40f02091/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147264/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 08:07:46 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.001] Data Micro-objective::CRC32::Checksum
1) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0048] File System Micro-objective::Delete Directory
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0050] File System Micro-objective::Set File Attributes
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread