MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29468996dd9c87967af928e90d2ef29cf1c41222f00eda022d790e1de87408d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29468996dd9c87967af928e90d2ef29cf1c41222f00eda022d790e1de87408d1
SHA3-384 hash: 5e0f87882b822d4935495367c2d022a3edac333f048e4d3d7cf055b6cdfa13744b9c7e7fa600495f4c66d4e90a8ebb64
SHA1 hash: 4cf349fb20e76ad32df359b9f686074670b771c9
MD5 hash: 5ab27ea90371d433e93ad274f1b596f8
humanhash: cardinal-avocado-cat-alanine
File name:Atualizacao_plugin_adobe_2025_1749017198.js
Download: download sample
Signature StormKitty
Create hunting rule
File size:5'052 bytes
First seen:2025-06-04 07:20:58 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:zVcPPLexaaShb/edp0MMeMEL/ShbP0lOedMamShbPShbMShb5ShbMKShbOE4L+s4:zVe6EK1GDUwBsPRM8MztU4lvP
Threatray 70 similar samples on MalwareBazaar
TLSH T1D7A19388D92B77DC78CA4A382290E531DB7FE817DAA6593DC3313FE592809C24D4B54A
Magika javascript
Reporter smica83
Tags:js StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
507
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683ff51a07b5e8c1cfe49127
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/683ff425e336a33801e2e741/reports/a284790c-b8c9-4085-b32d-e5ce18dade4f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/29468996dd9c87967af928e90d2ef29cf1c41222f00eda022d790e1de87408d1
Result
Threat name:
AsyncRAT, KeyLogger, StormKitty, Strela
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705628
Signature
Bypasses PowerShell execution policy
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected Strela Stealer
Yara detected UAC Bypass using CMSTP
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705628 Sample: Atualizacao_plugin_adobe_20... Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 31 adobe-ms-update.com 2->31 33 pki-goog.l.google.com 2->33 35 3 other IPs or domains 2->35 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 21 other signatures 2->59 8 wscript.exe 1 1 2->8         started        12 powershell.exe 3 17 2->12         started        signatures3 process4 dnsIp5 39 adobe-ms-update.com 172.67.145.143, 443, 49685, 49688 CLOUDFLARENETUS United States 8->39 63 JScript performs obfuscated calls to suspicious functions 8->63 65 Suspicious powershell command line found 8->65 67 Wscript starts Powershell (via cmd or directly) 8->67 69 2 other signatures 8->69 15 powershell.exe 14 15 8->15         started        29 C:\Users\Public\Downloads\adobe_updater.js, Unicode 12->29 dropped 19 wscript.exe 12->19         started        21 conhost.exe 12->21         started        file6 signatures7 process8 dnsIp9 41 archive.org 207.241.224.2, 443, 49689 INTERNET-ARCHIVEUS United States 15->41 43 Found many strings related to Crypto-Wallets (likely being stolen) 15->43 45 Found Tor onion address 15->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->47 51 2 other signatures 15->51 23 MSBuild.exe 1 3 15->23         started        27 conhost.exe 15->27         started        49 System process connects to network (likely due to code injection or exploit) 19->49 signatures10 process11 dnsIp12 37 176.123.10.4, 4449, 49697 ALEXHOSTMD Moldova Republic of 23->37 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->61 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29468996dd9c87967af928e90d2ef29cf1c41222f00eda022d790e1de87408d1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-04 07:22:09 UTC
File Type:
Binary
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffditfw5tsdzm6xzfduq2lxstty4ierc6ahnuarnpehb32dubdiq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
stormkitty
Create hunting rule
Similar samples:
090e3f0b11da0d8bef13a17293cbcbf6277ac2d8276b6ef6673f2b0061a1c5bd
StormKitty
23f9fe7816885cdc1fa4082870eb0eb6804df4dc15cafb0cb4c301bc7bebe5ea
StormKitty
6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
StormKitty
7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2
StormKitty
8f008745afdae7a3936038812a754d85b29c10f394f37a2e123c790d66359c53
StormKitty
9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c
StormKitty
b821af160140458283dfcfa9c43ecfb97def0d2ada7844877fcfca75c033294a
StormKitty
cc8c9f5b7a3a6d049cdb9a484fb0f39b0cf8d7f73dfc78b495c9580a93363f64
StormKitty
e33b8b32bccfb50f604f06a306d1af89ae7b0d583bca20c41fa5811f526aa420
StormKitty
error
StormKitty
f000c483ebcf213dac9968099f6f8c866a63e81e1955ba3664a58592ddac6477
StormKitty
+ 60 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery execution rat stealer
Link:
https://tria.ge/reports/250604-h7aw3ssq16/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Venom RAT
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/29468996dd9c87967af928e90d2ef29cf1c41222f00eda022d790e1de87408d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments