MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd
SHA3-384 hash: 8b4e1b46bbb75c96df751dfaacf2811941b7b57c3b25dbcc6b362b0b81403d64910629a8498c4b3698afefd81614cd59
SHA1 hash: 18002ed9408c2ebb8c744365176e937f5b701336
MD5 hash: 8fb1f1ec968e52ae2c514d5e83639c6f
humanhash: jersey-sad-double-jersey
File name:Halkbank_Ekstre_20221003_081552_734629.pdf.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:988'160 bytes
First seen:2022-10-03 17:07:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dENf32iNCdqE22rkaJprY5M9b31qtdBPh6T0wnrK4HTN:dSf31cdfvdprY5MFlMdR+0Y
Threatray 1'731 similar samples on MalwareBazaar
TLSH T18A25D02512BA4B0BC5166774DCC2C3B0AFE45D70E2B5C24B4FDDBDABB4772A5AE21102
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe geo Halkbank StormKitty Telegram TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd.zip
Verdict:
Malicious activity
Analysis date:
2022-10-03 18:06:13 UTC
Tags:
evasion stealer quasar
Link:
https://app.any.run/tasks/fe2ddf99-85a3-41e5-af67-9cfecf2bb2d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316193/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FQW.gen.Eldorado.32289.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633b16f2d089a0c15dd4d4b0/reports/be855d0d-4bef-4c91-a56a-419f6d424403/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bb5939b-9aca-42b9-99ee-44b4c96e0e69
Result
Threat name:
BluStealer, DarkCloud, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082689
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BluStealer
Yara detected DarkCloud
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715254 Sample: Halkbank_Ekstre_20221003_08... Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected DarkCloud 2->34 36 10 other signatures 2->36 7 Halkbank_Ekstre_20221003_081552_734629.pdf.exe 3 2->7         started        process3 file4 24 Halkbank_Ekstre_20..._734629.pdf.exe.log, ASCII 7->24 dropped 46 Injects a PE file into a foreign processes 7->46 11 Halkbank_Ekstre_20221003_081552_734629.pdf.exe 1 7->11         started        14 Halkbank_Ekstre_20221003_081552_734629.pdf.exe 7->14         started        16 Halkbank_Ekstre_20221003_081552_734629.pdf.exe 7->16         started        18 Halkbank_Ekstre_20221003_081552_734629.pdf.exe 7->18         started        signatures5 process6 signatures7 48 Writes to foreign memory regions 11->48 50 Allocates memory in foreign processes 11->50 52 Injects a PE file into a foreign processes 11->52 20 AppLaunch.exe 15 3 11->20         started        process8 dnsIp9 26 icanhazip.com 104.18.115.97, 49697, 80 CLOUDFLARENETUS United States 20->26 28 246.204.9.0.in-addr.arpa 20->28 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->38 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->40 42 May check the online IP address of the machine 20->42 44 2 other signatures 20->44 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 17:08:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gddtq4cm5kc7lthkq57zq6v4hzrfb767kkv5mccszfwv7xrcqg6q._file
Verdict:
malicious
Similar samples:
02a1835ea805bb1a6ca8d1706fa5a811279ec3fcb1524eb83cfa60f0314cf0dd
StormKitty
29dbbf1bffa1c271158334e05721f8a7fb76513d5ba0d8c5a5abe267cccdbe4b
StormKitty
3704c9065de2c596066dbca893c63b1d12b9264d62cffd92ffc49aaf919b49a5
StormKitty
547e11f854149b57fd150f999595def28a46ce48d71b78dd3bf3310caeb18fdb
StormKitty
701ef63a3a8c4f2eb90d64cd897e0098460e1272a54404b90ab794a685b98ffc
StormKitty
da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628
StormKitty
db8326300154e132bca39bb24e89949dbe41c9af90d9f10242dce3f9423ab094
StormKitty
e68526e8ebc0cb1342ed01317aa6966d83bea1b71b1285b55b653a512200304c
StormKitty
+ 1'721 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection stealer
Link:
https://tria.ge/reports/221003-vnjq4agah9/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58041415-fe5f-4c8e-8ac5-b4b7d75d1776
Unpacked files
SH256 hash:
20f36a6f266b39bd7c1ffb021a7917bdefcc8d5fd912d386d9ac5400e3bd63f1
MD5 hash:
5995d11fc8f7c3aa41e6a1f89baca10b
SHA1 hash:
19c8421f9c7ae601d5207d9a9e788a9d6b96d9c8
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
SH256 hash:
c44e214f957a499865eda4583f732951ad1f8fc89f962d113665fdb671a26736
MD5 hash:
0f6f7f32d9ffc9274fcc932518826234
SHA1 hash:
7081e614978acacc566098f9d9b233a27614fbc2
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
SH256 hash:
a04c799fa302c78d04acc3b4be8ccbde2f7fa00fe515daf18a2fc7e65fad3b13
MD5 hash:
d76812ec4cbc45e1e26ed36691596f7e
SHA1 hash:
c854fe9792694fb464a0bed51c737ff61ccef736
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
SH256 hash:
9b6d976208115f27edfda67b8afff45638ffc508e4ea4b1ee22822aa09706e64
MD5 hash:
a7d16c69213e5a89834bf4a0f175b079
SHA1 hash:
39dfbbce86664f5080eab020ad46a5dfb0d5d1d3
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
SH256 hash:
d819c2b947127048fb67fd0cc1d537375f833830a35daac0ec77562f25b235a2
MD5 hash:
0de79ced15f9b7b9148f34ebf00f4d9e
SHA1 hash:
360f6e9d4a22b10beb1759afbd9cfba11058975a
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
SH256 hash:
30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd
MD5 hash:
8fb1f1ec968e52ae2c514d5e83639c6f
SHA1 hash:
18002ed9408c2ebb8c744365176e937f5b701336
Link:
https://www.unpac.me/results/81519f73-76f3-4780-aa41-2ca5328c9a43/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30c738704cea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30c738704cea85f5ccea877f987abc3e6250ffdf52abd60852c96d5fde2281bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316193/

Comments