MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 11


Intelligence 11 IOCs YARA 63 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b
SHA3-384 hash: dd7c923009ff45ad1511cf7c97fbb629ea18423104acad302665d62f313fe6a935ff9a7e58e1ffed65f5ecddcfe9ce74
SHA1 hash: 5442ec5241b98ee4b99bb3589fd0aff0e4e9e5a1
MD5 hash: 7f3925dff382cadcf0b296046a2c1fb3
humanhash: freddie-solar-muppet-solar
File name:Internet Download Manager (IDM) v6.42 Build 42 + Fix{CracksHash}.iso
Download: download sample
Signature StormKitty
Create hunting rule
File size:18'284'544 bytes
First seen:2025-12-23 16:55:33 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 98304:6toBq+tWqSb+MMXFH5yU4BDGerofitoBq+tWqSb+MMXFH5yU4BDGerof:goUS6+MMXFQx8fYoUS6+MMXFQx8f
TLSH T1B3078D09EC240674C5A9827056E304D99E36BDD53B501AF726FD7ABD0F236C46ABE2CC
TrID 47.6% (.ISO/UDF) UDF disc image (2114500/1/6)
46.1% (.NULL) null bytes (2048000/1)
5.7% (.HTP) HomeLab/BraiLab Tape image (256000/1)
0.1% (.GL) GRASP animation (6508/7/3)
0.1% (.ATN) Photoshop Action (5007/6/1)
Magika iso
Reporter aachum
Tags:178-22-24-175 iso StormKitty VenomRAT vidar


Avatar
iamaachum
https://downloadtorrentfile.com/hash/5ab4176a2d094f3d361705e2c23be3afabdb4ee2?name=Internet%20Download%20Manager%20%28IDM%29%20v6.42%20Build%2042%20%2b%20Fix%7bCracksHash%7d

VenomRAT C2: 178.22.24.175:4449
Vidar C2:
https://telegram.me/gal17d
https://steamcommunity.com/profiles/76561198759765485
https://xet.multiatend.com.br/

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
FR FR
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:idman642build42.exe
File size:12'295'264 bytes
SHA256 hash: 1ac4f13534743be2ae855a33db85ef60221cc8b69303c8ebbd42af8a6c42cd8c
MD5 hash: 93a1b2c01b2964a8a8110e93a97548b4
MIME type:application/x-dosexec
Signature StormKitty
File name:Instructions! .txt
File size:881 bytes
SHA256 hash: f21256c9b8b5e383f2b9c309b9b9ccde26388d8129b9945d858a5dc89001da52
MD5 hash: c80705f8ea7e87cd0b6093eb4c5a2943
MIME type:text/plain
Signature StormKitty
File name:IDM_6.4x_Crack_v20.4.exe
File size:4'790'392 bytes
SHA256 hash: f3a4b0da6aee356030a581a3423a43136821add76ba78f22455e5bc99b947c56
MD5 hash: f8b4de48377048dae1a44ec5db2248df
MIME type:application/x-dosexec
Signature StormKitty
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Link:
https://research.acce.ciphertechsolutions.com/results/89e9f723-8402-4ced-bd7c-87a61bc32e23/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.46936423.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694ac9b5038f10550b551e85
Tags:
emotet
Verdict:
Suspicious
Labled as:
W64/Agent.LHN.gen
Link:
https://www.hybrid-analysis.com/sample/528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b
Verdict:
Malicious
File Type:
iso
First seen:
2025-12-23T14:03:00Z UTC
Last seen:
2025-12-23T14:16:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.MSIL.Stealerium.pef
Link:
https://opentip.kaspersky.com/528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.Stealerium
Link:
https://tip.neiki.dev/file/528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-12-23 16:56:18 UTC
File Type:
Binary (Archive)
Extracted files:
19
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkg2os63tywrjr7p32xg43wjl5jrd3og5oeuzuu5shedohcc5cfq._file
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty defense_evasion discovery execution installer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251223-vrhyzaxnew/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/528da74bdb9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Any_SU_Domain
Create hunting rule
Author:you
Description:Detect any reference to .su domains or subdomains
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Golang_Binary
Create hunting rule
Author:Andrew Morrow
Description:Detects binaries compiled with Go
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:goLangMatch3
Create hunting rule
Rule name:goLangMatch4
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:virustotal
Create hunting rule
Author:Tracel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

iso 528da74bdb9e2d14c7efdeae6e6ec95f5311edc6eb894cd29d91c8371c42e88b

(this sample)

StormKitty

Executable exe f3a4b0da6aee356030a581a3423a43136821add76ba78f22455e5bc99b947c56

  
Link
https://tria.ge/251223-t6d3wswrhs/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 f3a4b0da6aee356030a581a3423a43136821add76ba78f22455e5bc99b947c56
  
Dropping
MD5 f8b4de48377048dae1a44ec5db2248df
  
Dropping
SHA256 1ac4f13534743be2ae855a33db85ef60221cc8b69303c8ebbd42af8a6c42cd8c
  
Dropping
MD5 93a1b2c01b2964a8a8110e93a97548b4

Comments