MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005
SHA3-384 hash: 42ba709baa0888d80ec298188c9a59b08abc1a32fa3259c7e91d84772d3a026269f589143b18e4356d1be8dbbaa5aabd
SHA1 hash: 8a9e0937d7db2b951f50c7cc1f0ebf42aaafb21b
MD5 hash: 3cb427c5f783752ea688c135b516dbb4
humanhash: robert-washington-florida-robert
File name:L5shRfh.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:6'526'464 bytes
First seen:2025-02-12 21:04:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:H7SmQ0OBrD+f8wNVrq2+ow64WfRnZUo7SmQ0OBrD+f8wNVrq2+ow64WfRnZUW:HOmSDktNjZUoOmSDktNjZUW
TLSH T12766339B7717A82AC7C9577FE1E7540013564606A253D23939C3231A2F873FEA88D9CB
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AsyncRAT exe StormKitty


Avatar
iamaachum
http://185.215.113.75/files/7244183739/L5shRfh.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
453
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
aa883f75bff0257a0fefd5d8d20c6297.exe
Verdict:
Malicious activity
Analysis date:
2025-02-12 09:32:32 UTC
Tags:
amadey botnet stealer loader lumma themida auto redline smoke vidar telegram tofsee lefthook arch-exec cryptbot stegocampaign autoit stealc credentialflusher generic rat asyncrat remote
Link:
https://app.any.run/tasks/09f4d8bd-725d-4010-8b25-c928b911ccac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

Win.Packed.Zusy-10023527-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ad0d134f5583c4c4d88045
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Connection attempt
Creating a window
Setting a global event handler for the keyboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ad0d0bc2f1c1c7a05908c6/reports/7204dcf0-3f66-4433-99f0-22d1255b21e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a39482e-4a3d-4fdc-be91-5a2f8d49979a
Result
Threat name:
KeyLogger, PureLog Stealer, StormKitty,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1613673
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected StormKitty Stealer
Yara detected VenomRAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-02-12 07:54:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=emfrimuuyampr7dmgzmbxyqu4ljxevkgxoqkeqo2ckcuauuamacq._file
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery rat stealer
Link:
https://tria.ge/reports/250212-zw91gaymcs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Downloads MZ/PE file
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
Win.Packed.Zusy-10023527-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4ce9596d-0db2-46ff-9f68-46ff5cb56126
Unpacked files
SH256 hash:
230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005
MD5 hash:
3cb427c5f783752ea688c135b516dbb4
SHA1 hash:
8a9e0937d7db2b951f50c7cc1f0ebf42aaafb21b
Link:
https://www.unpac.me/results/337b362e-3c3a-4c0e-9887-a98c2b67e68d/
SH256 hash:
708ed81cb0f250924f34c5c420a1d0573337772d90892c0eb208c2bc72dda8a2
MD5 hash:
6d6e38ddf93a964e1e374f83ff6a5825
SHA1 hash:
64963f1af21b54567e0e33e34f1e63d2e4605784
Detections:
AsyncRAT
Create hunting rule
DiscordRatWebcamGrabber
Create hunting rule
StormKitty
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_DLAgent10
Create hunting rule
MALWARE_Win_UnamedStealer
Create hunting rule
MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
MALWARE_Win_CyberStealer
Create hunting rule
MALWARE_Win_ArrowRAT
Create hunting rule
MALWARE_Win_VenomRAT
Create hunting rule
Link:
https://www.unpac.me/results/337b362e-3c3a-4c0e-9887-a98c2b67e68d/
SH256 hash:
70f5cf985d8ffc9f6469c5686799e3ed42db418b98ac63dbf203e0a6124a67e2
MD5 hash:
97221cc78207c44a8b62e574df862472
SHA1 hash:
d8156222b9f7576135f113c54e486abcfe4b395e
Detections:
MALWARE_Win_DLAgent10
Create hunting rule
Link:
https://www.unpac.me/results/337b362e-3c3a-4c0e-9887-a98c2b67e68d/
Parent samples :
7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c
230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005
7b77cc567a3c5e8a31e8abe7404bc2b39198e51d4b3adae736caf5fbe484e2a6
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/230b143294c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe 230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005

(this sample)

  
Link
https://tria.ge/250212-y5t5yaxrb1/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3435923/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments