MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e
SHA3-384 hash: c1cedb79e4213237a85cafe1e561a5040e1e5a1f108570f940681dc474e9bec363ab45ba46b6136f9aa9770da78c48de
SHA1 hash: 37577934002e1f8b2d05cee98de8f672e4b64b34
MD5 hash: 92b485e82500b6827cbbaabfcbb08b16
humanhash: utah-social-foxtrot-magnesium
File name:Crunchyroll [CHECKER 2023] V1.3.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:16'922'624 bytes
First seen:2023-02-23 16:07:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 393216:gu7L/1edQ2l6+9Joaw2N+mzW83OmwGJLaX4FcYq:gCLdedQm9Jq2NZW833Vc
Threatray 1'101 similar samples on MalwareBazaar
TLSH T191073355B3921CD9E4EE4337E09381509A22FC134391F2DB0AE43DA63D9B39C9D35AAD
TrID 64.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
24.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
3.4% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.FON) Windows Font (5545/9/1)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9679f57061b0cc23 (1 x StormKitty)
Reporter Chainskilabs
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Crunchyroll [CHECKER 2023] V1.3.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 16:10:26 UTC
Tags:
ransomware stealerium evasion stealer asyncrat
Link:
https://app.any.run/tasks/8a808d62-54c2-45cc-91b3-79582e81ba22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Tool.Binder-9794371-0
Create hunting rule

Win.Packed.AsyncRAT-9856570-1
Create hunting rule

Win.Packed.AsyncRAT-9938103-1
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Launching a process
Launching the process to change network settings
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
anti-vm asyncrat fingerprint greyware hacktool net njrat packed rat shell32.dll stealer
Link:
https://www.filescan.io/uploads/63f78f65ab9a5864460648ee/reports/054b1782-33d4-497b-a776-49244ea668be/overview
Verdict:
Malicious
Labled as:
HackTool/Vbinder
Link:
https://www.hybrid-analysis.com/sample/2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e
Result
Verdict:
MALICIOUS
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf61d233-d53d-4930-851d-944fff73210e
Result
Threat name:
AsyncRAT, StormKitty
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181441
Signature
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814272 Sample: Crunchyroll [CHECKER 2023] ... Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 Sigma detected: Capture Wi-Fi password 2->70 72 12 other signatures 2->72 8 Crunchyroll [CHECKER 2023] V1.3.exe 3 2->8         started        process3 file4 46 C:\Users\user\AppData\...\WORLDWINDCLIENT.EXE, PE32 8->46 dropped 48 C:\Users\user\...\CRUNCHYROLL [2023] V1.3.EXE, PE32+ 8->48 dropped 11 WORLDWINDCLIENT.EXE 15 140 8->11         started        16 CRUNCHYROLL [2023] V1.3.EXE 502 8->16         started        process5 dnsIp6 60 api.telegram.org 149.154.167.220, 443, 49702, 49703 TELEGRAMRU United Kingdom 11->60 62 icanhazip.com 104.18.114.97, 49700, 80 CLOUDFLARENETUS United States 11->62 64 3 other IPs or domains 11->64 50 C:\Users\user\AppData\...\VAMYDFPUND.png, ASCII 11->50 dropped 52 C:\Users\user\AppData\...\FENIVHOIKN.xlsx, ASCII 11->52 dropped 54 C:\Users\user\AppData\...\BPMLNOBVSB.jpg, ASCII 11->54 dropped 56 2 other malicious files 11->56 dropped 78 Multi AV Scanner detection for dropped file 11->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->80 82 May check the online IP address of the machine 11->82 84 4 other signatures 11->84 18 cmd.exe 1 11->18         started        21 cmd.exe 1 11->21         started        23 CRUNCHYROLL [2023] V1.3.EXE 16->23         started        26 conhost.exe 16->26         started        file7 signatures8 process9 dnsIp10 74 Uses netsh to modify the Windows network and firewall settings 18->74 76 Tries to harvest and steal WLAN passwords 18->76 28 netsh.exe 3 18->28         started        30 conhost.exe 18->30         started        32 findstr.exe 1 18->32         started        34 chcp.com 1 18->34         started        36 netsh.exe 3 21->36         started        38 conhost.exe 21->38         started        40 chcp.com 1 21->40         started        58 pastebin.com 104.20.67.143, 443, 49716 CLOUDFLARENETUS United States 23->58 42 cmd.exe 23->42         started        44 cmd.exe 23->44         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 16:08:15 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
32 of 39 (82.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4f3jv2aaxhsiyhu4xyo7fjzb3ybp7ivjmak3j2jfmtgzjmjxi7a._file
Verdict:
malicious
Similar samples:
17b7efa461eeb91d0e83ae6f90bf00c27900f58f2d27da1cf25ea5d44345bdd3
StormKitty
3a00b622128701df9801fb9fc2465bd33a0c3d7ff004333e9fff8f70997dcd83
StormKitty
405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
StormKitty
5fc60cbffc44d23cb91b9b61d121794949931d7ed56f0311d68f9176deb961ed
StormKitty
6da5530eff5617af7c73aa5c1211971702a8ba5dffb67d76aad7c889185b2f46
StormKitty
d074db16525688d38bd4d33669e2406e7ab6cc6f5e2d039dafe019f419622416
StormKitty
e0b5142a0af8f9cf06f8e7cb073828711c38a9c47a906d820300d79a7dbce186
StormKitty
eb1bc9a5f5c530c8a4d271f626906fe986e5622fe4c635aceb77e95898978654
StormKitty
+ 1'091 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty botnet:default pyinstaller rat spyware stealer
Link:
https://tria.ge/reports/230223-tlsesaac7z/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6196076192:AAF99zylbr46S6zR2M6Fbv7gE0eAuYfzRmg/sendMessage?chat_id=927024838
Unpacked files
SH256 hash:
2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e
MD5 hash:
92b485e82500b6827cbbaabfcbb08b16
SHA1 hash:
37577934002e1f8b2d05cee98de8f672e4b64b34
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/3afd038c-3adb-4887-90ac-5f8744eab286/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f0bb4d74005/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe 2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e

(this sample)

  
Delivery method
Distributed via web download

Comments