MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7
SHA3-384 hash: 991f7adc3d4bf11467687f8b5d39f18a3f655d4600f29279da8d14599cfb07667afe7d99cdcb04cd251014bbbba889ce
SHA1 hash: 3e7d1b0b961ea899e89902977e36b70fd92351a3
MD5 hash: d865c75250a61c050f69dbb8735581a5
humanhash: east-fifteen-pizza-winter
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:22'016 bytes
First seen:2022-08-19 15:21:33 UTC
Last seen:2022-09-01 11:01:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 192:wC1NqE7QSmGvEKL5ccJu5ZtIZlBzeE8hHQ+mv:bxUYubtQBSdXm
Threatray 55 similar samples on MalwareBazaar
TLSH T12DA24007F68E072EFBB957B5397E16704268BF5768456AEC70D0FE8F45B048C09226E2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0f2f0f1f271b6931 (13 x AgentTesla, 3 x StormKitty, 2 x Formbook)
Reporter lowmal3
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
6
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
No threats detected
Analysis date:
2022-08-19 15:23:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04ac45de-bc7f-431a-b7bd-ba1839a9239d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299789/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62ffaadbeb0bf1e2c6f03615/reports/c4833ac9-8fcc-4e73-bc2e-0af9b6690b35/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30f15cff-5439-4085-90c0-20b944a6200d
Result
Threat name:
AsyncRAT, BluStealer, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1054481
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AsyncRAT
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected Generic Dropper
Yara detected MSILDownloaderGeneric
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686998 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 19/08/2022 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 11 other signatures 2->68 7 Dtbdiyy.exe 14 4 2->7         started        11 Ziraat Bankasi Swift Mesaji.exe 16 7 2->11         started        14 Dtbdiyy.exe 3 2->14         started        process3 dnsIp4 70 Multi AV Scanner detection for dropped file 7->70 72 Machine Learning detection for dropped file 7->72 74 Encrypted powershell cmdline option found 7->74 16 Dtbdiyy.exe 7->16         started        18 powershell.exe 14 7->18         started        20 Dtbdiyy.exe 7->20         started        22 Dtbdiyy.exe 7->22         started        52 cdn.discordapp.com 162.159.133.233, 443, 49710, 49720 CLOUDFLARENETUS United States 11->52 42 C:\Users\user\AppData\Roaming\...\Dtbdiyy.exe, PE32 11->42 dropped 44 C:\Users\user\...\Dtbdiyy.exe:Zone.Identifier, ASCII 11->44 dropped 46 C:\...\Ziraat Bankasi Swift Mesaji.exe.log, ASCII 11->46 dropped 76 Injects a PE file into a foreign processes 11->76 24 powershell.exe 18 11->24         started        26 Ziraat Bankasi Swift Mesaji.exe 1 11->26         started        28 powershell.exe 14->28         started        30 Dtbdiyy.exe 14->30         started        file5 signatures6 process7 process8 32 AppLaunch.exe 16->32         started        36 conhost.exe 18->36         started        38 conhost.exe 24->38         started        40 conhost.exe 28->40         started        dnsIp9 48 icanhazip.com 104.18.114.97, 49727, 80 CLOUDFLARENETUS United States 32->48 50 144.48.8.0.in-addr.arpa 32->50 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->56 58 May check the online IP address of the machine 32->58 60 2 other signatures 32->60 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-19 15:22:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klr64ali6nflpavica64o6au57uxbmva7rldnjzgnjhkh2n24ltq._file
Verdict:
malicious
Similar samples:
0f9e71d60e3069524b211280f87d329ea279c0b59b08826a14eec3cf97f9c839
StormKitty
317977d99bebf5f65a24d6460fa2f98f5e875d1f85f12a430acb69f8dd3dfbdf
StormKitty
4177cb74219e4ff3d5453eba44a7a0c149591bd3b4eadfe52972567f317d40c3
StormKitty
68c1282423c90b52016ae92efc0147ea092bce10c032e762e6268466a5d26ab9
StormKitty
b536513867d9991572cef648d74c9a141a113f25b429f62ac11b2994c89fb832
StormKitty
b87d5599c82843ff6c28a6d92d0d99759e3e39ffeca638c1b9cd3c74e7a2631e
StormKitty
c1ffbd89a550c5c4f03d5a595efca82943336d0fd2b6b7592252d7cc18389628
StormKitty
cd5f1820af33d2e6f034ca088a5fd83592835c722aca63d9f4912ea2e7996d00
StormKitty
d155ea0a4a537254282a6049ded1dc2a2451b35579bc88a20131a1f1cfdcff95
StormKitty
e1679dfd928e95fb441b2027b69d0e802e6c52585801a54e77e8837ddb7a2663
StormKitty
+ 45 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection discovery persistence stealer
Link:
https://tria.ge/reports/220819-srv77afaer/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Creates a large amount of network flows
BluStealer
StormKitty
StormKitty payload
Unpacked files
SH256 hash:
52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7
MD5 hash:
d865c75250a61c050f69dbb8735581a5
SHA1 hash:
3e7d1b0b961ea899e89902977e36b70fd92351a3
Link:
https://www.unpac.me/results/557b7338-36ee-4a9a-bd18-2dba6d624603/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StormKitty

Executable exe 52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/299789/

Comments