MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8
SHA3-384 hash: 30ab671dc90aff2c01a8eb90e888cbc1c035d973fe87038dc61c44568756fdc209af0eaf88ea53f99aa81bc21a4f0fa6
SHA1 hash: 3b099f56a695a30985e1f615265602564d628096
MD5 hash: 3b4a5644746f4f973ae3acb42bd83132
humanhash: charlie-georgia-pennsylvania-enemy
File name:file
Download: download sample
Signature StormKitty
Create hunting rule
File size:4'261'376 bytes
First seen:2025-09-14 04:01:28 UTC
Last seen:2025-09-14 04:03:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44d8a197c84278da32b54956d7f26e65 (6 x LummaStealer, 1 x StormKitty, 1 x Vidar)
ssdeep 98304:UtWxtiCHOPRbEipPw/3YslUjiOlywK/GqC5:UKiPH9w/33laiOlyBq5
Threatray 822 similar samples on MalwareBazaar
TLSH T1F916231DE8B990E7FCE745B1AB455012A532BD378B181ADB41E887A1325BEFD053E332
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe StormKitty


Avatar
Bitsight
url: http://178.16.54.200/files/5815908625/K6lV9Hn.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
89
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-14 00:42:32 UTC
Tags:
lumma stealer amadey auto redline botnet loader telegram arch-exec themida auto-reg coinminer miner rdp stealc vidar anti-evasion gcleaner
Link:
https://app.any.run/tasks/705ef42e-a972-4b79-882a-bab0a0efae06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ArrowRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27395/
Detection(s):
Win.Packed.Lazy-10057857-0
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c63e49e579c633a4b51c0a
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated packed packed packer_detected similar-threat
Link:
https://www.filescan.io/uploads/68c63e507328794829296062/reports/4c5449f6-621f-46c7-b743-f67339bbfccd/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-13T10:27:00Z UTC
Last seen:
2025-09-13T10:27:00Z UTC
Hits:
~100
Detections:
VHO:Trojan.Win32.InjectorNetT.gen HEUR:Trojan.Win32.InjectorNetT.pef
Link:
https://opentip.kaspersky.com/2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bd1fbea2-ae90-48c1-9f0b-b30733f870f0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/3b4a5644746f4f973ae3acb42bd83132
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-09-13 13:22:20 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fitbgiqpqbpmsrdljutgy2ftubheltll5mynecqb2btv7w7rctua._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
Similar samples:
1b05bc2d0bf55ba2098fcdfa9657577cfe344f2c231e229694175504029cee4c
StormKitty
217618775a0efa48a069417361b979851936425ec4bff065fef0a68f2858596f
StormKitty
2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8
StormKitty
31ba8080813690f32ff5cb3ad9c09a20129f81f0f4f11ed99d6cac35cb1d7c4d
StormKitty
61f37ca7debfeee417ebb8dedcae63e5eff966d216dd8c670e7e605c2caf2713
StormKitty
66714b3368a2365b0ac7cb6a09bf95dc6fb98989a74bcd2e274971b4237e6df7
StormKitty
afc25cfb131af91d7b7be577b5aae6af861edf377fbd4dd3faacd7fa42b88854
StormKitty
b303e5fa63277691ab5249294772aed02d0f294fe2d69dc5dfe2cc77a15a4e7a
StormKitty
error
StormKitty
+ 812 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery rat stealer
Link:
https://tria.ge/reports/250914-ely51axqy8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0b720cbd-d1a4-4456-833e-94da3e96c18a
Unpacked files
SH256 hash:
2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8
MD5 hash:
3b4a5644746f4f973ae3acb42bd83132
SHA1 hash:
3b099f56a695a30985e1f615265602564d628096
Link:
https://www.unpac.me/results/ba2322af-32f1-4925-89d0-0e1c92ae77c1/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a2613220f80/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe 2a2613220f805ec9446b4d266c68b3a04e45cd6beb30d20a01d0675fdbf114e8

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3623376/
Cape
Cape
https://www.capesandbox.com/analysis/27395/

Comments