MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220
SHA3-384 hash: dc62203b52c55485eca26dbc9f4d562d6a0309c9843e82c29ce7461c42bf78e75f6a71d8a0ee607b0bb68b7619aed1d3
SHA1 hash: 4c6e97447466c3615b8b564d928ae95461717947
MD5 hash: d12022ca18d335ee92a96b409d9d55cf
humanhash: may-april-bakerloo-lithium
File name:475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220
Download: download sample
Signature StormKitty
Create hunting rule
File size:796'160 bytes
First seen:2022-10-10 10:56:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:pfzfih0m+3no6/PNLf2FNoDCSAbWnkkdylvez5LPh5O3a7M8nY4S3aIAATf6GfcE:pfwnJEkXUVPh8K7s3d3TmCtYY7LBZw
Threatray 1'896 similar samples on MalwareBazaar
TLSH T14E05BF54263A890BC9A9B670DCD1E3712FA46DE5435FC24F08DC3CABF13B2586DB12A5
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318323/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FQW.gen.Eldorado.32289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6343fa7f81eef2a234c4b212/reports/e41f16bc-a96e-4d92-8256-eb0a3bfc5a41/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e591d5b-b462-4d5f-a94a-3301e491bf2d
Result
Threat name:
BluStealer, DarkCloud, SpyEx, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087413
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BluStealer
Yara detected DarkCloud
Yara detected Generic Downloader
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719989 Sample: dFv9QcWQ1v.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 9 other signatures 2->60 7 dFv9QcWQ1v.exe 7 2->7         started        11 XDmcVzcsfBo.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\...\XDmcVzcsfBo.exe, PE32 7->38 dropped 40 C:\Users\...\XDmcVzcsfBo.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp6EA8.tmp, XML 7->42 dropped 44 C:\Users\user\AppData\...\dFv9QcWQ1v.exe.log, ASCII 7->44 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 64 Adds a directory exclusion to Windows Defender 7->64 66 Injects a PE file into a foreign processes 7->66 13 dFv9QcWQ1v.exe 1 7->13         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        20 dFv9QcWQ1v.exe 7->20         started        68 Multi AV Scanner detection for dropped file 11->68 22 XDmcVzcsfBo.exe 11->22         started        24 schtasks.exe 11->24         started        signatures5 process6 signatures7 80 Writes to foreign memory regions 13->80 82 Allocates memory in foreign processes 13->82 84 Injects a PE file into a foreign processes 13->84 26 AppLaunch.exe 15 3 13->26         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 AppLaunch.exe 22->34         started        36 conhost.exe 24->36         started        process8 dnsIp9 46 icanhazip.com 104.18.114.97, 49695, 80 CLOUDFLARENETUS United States 26->46 48 231.58.0.0.in-addr.arpa 26->48 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->70 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->72 74 May check the online IP address of the machine 26->74 50 104.18.115.97, 49696, 80 CLOUDFLARENETUS United States 34->50 52 231.58.0.0.in-addr.arpa 34->52 76 Tries to steal Mail credentials (via file / registry access) 34->76 78 Tries to harvest and steal browser information (history, passwords, etc) 34->78 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 03:00:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5nib2pxxgjc6ucvsvre3zoqrugitmxpfo4jzrwcxw4scic6yiqa._file
Verdict:
malicious
Similar samples:
1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6
StormKitty
270500c5521140994311eb56049807f33541472e66e3aefc8101fc2767c4fea6
StormKitty
60951ec1ed11f5ca0eeda2940466dc675d2fefa2bf3750c26b12c967d0c1fba4
StormKitty
70d121cfabbbf118335b8ae4f6a3a072f09ce2f11bd73c711120fa9070d608e3
StormKitty
73a0327037d99cc1b679dd7a845323da2380535813892602400997cd7a7495d6
StormKitty
8590ebe9a64020b717f0fda3bc22a35bc6f4f488e63d9a5f8deadd67aa89921e
StormKitty
b3a18bdc77b3fdfddbb70867d97fafeaaba9397c308e4b41bf54531f579d809b
StormKitty
dc73cd20086fe27874bc1a682eb49a97808270b2884bc5e12e162cce4a63e8ff
StormKitty
+ 1'886 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection stealer
Link:
https://tria.ge/reports/221010-m188hsbed7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ae55c23-f654-44d3-894b-773b73a37cc9
Unpacked files
SH256 hash:
2efa7ce4993c927c34d5c89eff97f84b467317db9b52ddf04014733ff7c42b58
MD5 hash:
94213ed7fff43932721f05a57c56b1da
SHA1 hash:
2dfe694dcab8721d21916a78071d8d4277cbda91
Detections:
win_agent_tesla_g2
Create hunting rule
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
Parent samples :
e6186ec4c3e525c4874d167f188ef42aeac032ef6bfb6b30d72e00f9a4ab324e
d757a473268b029ee5f0d485c13345d4714da5d7b2e9d73e7f2e0ca9162a2730
1d9598ad9d7e41bd0513c7d263c805fb0598f18c7c69e3997bd109c1e058f212
04dd34e9c47d5e11228de612106b71ba98fc2ca94840543acaf843cbb7123e99
812e860ce5f169fed3c366dc9781e342e6c4da50e997c051e3788621ef71b6af
1fa00eab8fe9ab441e2bbc0be43c34a77724c3a0b580b733ecdbe89a3e0d03b7
4649b0df03857384398c1b95c2e26768ed8a6198499a39d3efdb8d696ede4176
dfdea8e5cc329e17847e129d8e515043b0dba31f1af48304f28dd181483607ae
2db92360a5d32dd3761be21606b76a93a201e8f984198ae8f3fd3fee12759b39
beb46012919018735132f1ca08c31ac870b2be20e97a4b3fac463616c5504fa0
fdeafb2bf6cc3d798d2fa099f3619d096f17a57b89172020922c2a63f48d8aeb
3e2842c40ff26c60b69e08934b9b80fefe0cd2d091fbd6fa91a2b97f3487137c
c770ddf80ec05a624d91aa9635b20dc5978a057847e1750135dc418e18ac24b6
e57050b46da3903b314d721bfb34e69ad18b8906d29b0193dd155981e5f37807
576fba66410ffbb712a8412d2469e68d4c6d4daa1f32604afa4c4d7ae51a2a63
54c419e5d402c052ca814fa728a82fdb2cfd67788960112429ef2f4734e9c866
97dd5625186d8b272fcffd07098106fdebc7792a18a019cb310ff81f0d7e0a21
f9e4451730239448df0b825886e85b1af1ce388697ed890e8d1d4152b09312d0
28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5
7130b704fe2c8bf91508ad0dfa4869780e5afc92918f0f92e25c4e9523d1ab56
475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220
ce2518f0eddcfaa14c9c110d8df87b6aeeebabd851c53954a6702493be867338
SH256 hash:
c7fcadf9585bdffd3fc31b18c3f8e4cc9db6e03daf5642f55e9046d9db99d178
MD5 hash:
a585d857ffbcd898bce0e2874b82bf46
SHA1 hash:
f190861b966cc392bc4804b5bd97b51b0798b8d2
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
SH256 hash:
16a775ae7240434e0563eeb9220c0fb4d2352251d4483d08d9d9678f2b743f1c
MD5 hash:
cb51286b55d81634de24cdf0fa2bd358
SHA1 hash:
af50caf6cc4ba374d63911031491fc846ce443db
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
SH256 hash:
7cb8c2a6a3352764a83b41def642e67cd57c720130ba276d7d57c86773d49ca9
MD5 hash:
1303c8a0b72250c4566010958e2c70f7
SHA1 hash:
9c8eb123d29bb237d8dea9b21607caa76b4b2fe8
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
SH256 hash:
475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220
MD5 hash:
d12022ca18d335ee92a96b409d9d55cf
SHA1 hash:
4c6e97447466c3615b8b564d928ae95461717947
Link:
https://www.unpac.me/results/1feb74d1-146a-4c08-bb53-66711dc11686/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/475a80e9f7b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/475a80e9f7b9922f505595624de5d08d0c89b2ef2bb89cc6c2bdb921205ec220

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318323/

Comments